Microsoft Security Bulletin MS02-021

Technical description:

Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.

The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.

An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The e-mail recipient must be using Word as their e-mail editor and choose to reply to or forward a specially malformed HTML e-mail received from an attacker.

Vulnerability identifier: CAN-2002-1056 

Tested Versions:

Microsoft tested Outlook 2000 and Outlook 2002 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a vulnerability that could allow an attacker to run script of his choice on the user's system, via an HTML e-mail. Such a script could take action on the system as though it was the user.
An attacker would only be able to exploit this vulnerability if the recipient has Word configured as the e-mail editor and the recipient chooses to reply to or forward the e-mail.
The attacker's actions would be limited by any restrictions which govern the user's actions. Thus, in an environment where accounts adhere to the rule of least privilege, the attacker might be significantly limited in the actions his program could take.

What causes the vulnerability?
The vulnerability results because of a flaw in how the WordMail editor handles scripting contained in HTML when an e-mail message is replied to or forwarded. In certain circumstances, the scripting is handled in an unsafe manner and could run without warning the user.

What is WordMail?
WordMail is another way of saying that you have enabled Word as your e-mail editor. WordMail allows you to create new e-mail messages using most of the features found in Word, such as formatting, AutoText and Check Spelling as You Type.

How does WordMail handle HTML e-mail?
WordMail is used for composing, replying to, or forwarding e-mail, including HTML e-mail

What's wrong with how WordMail handles HTML e-mail in replies or forwards?
The problem results because e-mails are handled differently when read than when replied to or forwarded. When you receive and view an HTML e-mail, the message is subject to the Internet Explorer security zone settings, which are honored by Outlook. Scripts are not run because of the Internet Explorer security zones.
When you reply to an e-mail or forward the message, the new message is in the same format as the message you received. A reply or forward has been treated as being the same as creating a message, which means Word is in a less-restrictive creation mode that doesn't block scripts, so the scripts could be run.

How might an attacker exploit this vulnerability?
An attacker could create an HTML e-mail containing script, then send it to another user. If the recipient is using Outlook 2000 or Outlook 2002 and chooses to reply to or forward the attacker's HTML e-mail using WordMail, the script could then be run. The script would have access to the user's local system resources and can execute with the same privileges as the user.

How would the attacker know whether the user was using WordMail?
The attacker has no way to discover remotely if a recipient is using WordMail.

Does the vulnerability provide any way for the attacker to force the user to reply to or forward the mail?
No, the user must choose to reply to or forward the e-mail.

Is it possible to craft an HTML e-mail message like this by accident?
No, it would require very specific, detailed knowledge and such a message would have to be specifically constructed with malicious intent.

What can I do to protect myself against this vulnerability?
The best way to protect yourself is to apply the patch to systems running Outlook 2000 or Outlook 2002.

Are there any other steps I can take to protect myself?
Customers who have enabled a new feature feature added in Office XP SP-1 that lets you read all non-digitally-signed e-mail or non-encrypted e-mail in plain text format are protected against attempts to exploit this vulnerability.
The KnowledgeBase article Q307594 describes how to enable this feature.
However, you should still apply the patch in case you disable the read as plain text option in the future.

What does the patch do?
The patch eliminates the vulnerability by having Word handle all forwards and replies in Design mode, which will not allow scripts to be run.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Office 2000 SR-1 or greater or Office XP SP-1 or greater.

Inclusion in future service packs:

The fix for this issue will be included in any future service packs for Office

Reboot needed: No.

Superseded patches: None.

Verifying patch installation: 

•	Word 2002: Verify that the version number of Winword.exe is 10.4009.3501
•	Word 2000: Verify that the version number of Winword.exe is 9.0.6328

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section