Bypass Internet Zone Security in Outlook Express

Reported July 20 by Microsoft

VERSIONS AFFECTED
Microsoft Outlook Express 4.0 through 5.01

DESCRIPTION

By sending an unsuspecting user a specifically craft HTML message, a file could be created on the hard disk that when opened, would operate in the Local Security Zone context of the user"s desktop, which by default allows a liberate amount of access to available resources.

Because of programmatic restrictions involved with HTML email messages, the vulnerability could allow data to become transmitted offsite without the user"s knowledge. However, according to Microsoft"s bulletin, data access would be limited to the ability to read files that could be displayed in a browser window, such as image files, HTML files, text files, etc.

VENDOR RESPONSE

Microsoft issued FAQ# FQ00-046 regarding this problem along with a patch and Support Online article Q267884, which also pertain to security issues MS00-043 and MS00-045.

Microsoft"s bulletin states that "this vulnerability can be eliminated by taking any of the following actions:

  • Installing the patch available at
    http://www.microsoft.com/windows/ie/download/critical/patch9.htm
  • Performing a default installation of Internet Explorer 5.01 Service Pack 1,
    http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
  • Performing a default installation of Internet Explorer 5.5
    (http://www.microsoft.com/windows/ie/download/ie55.htm)
    on any system except Windows 2000.

Note: The patch requires IE 4.01 SP2 (http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm) to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q267884"

CREDIT
Discovered by Microsoft