Microsoft KB Archive/321804

= MS02-021: An E-mail Editor Flaw Can Lead to Script Execution If You Reply or Forward a Message =

Article ID: 321804

Article Last Modified on 11/26/2003

-

APPLIES TO


 * Microsoft Outlook 2002 Standard Edition
 * Microsoft Outlook 2000 Standard Edition
 * Microsoft Word 2002 Standard Edition
 * Microsoft Word 2000 Standard Edition

-



This article was previously published under Q321804



SYMPTOMS
If you use Microsoft Word as your e-mail editor in Outlook 2000 and Outlook 2002 to create and edit messages in either the Outlook Rich Text format or in Hypertext Markup Language (HTML) format, there is a flaw that prevents Word from applying restrictive security settings that disallow scripts to be run if you reply or forward a message.

An attacker can exploit this vulnerability by sending a specifically malformed HTML message that contains a script to a Microsoft Outlook user who uses Word as their e-mail editor. The scripts can take any action on the system as if they were the user.

The attacker's actions are limited by any restrictions that govern the user's actions. Therefore, in an environment where accounts follow the rule of least privilege, the attacker may be significantly limited in the actions that their program can take.

Mitigating Factors

 * The vulnerability only affects Outlook users who use Word as their e-mail editor.
 * Users who have enabled the feature introduced in Microsoft Office XP SP1 to read HTML messages as plain text are not vulnerable.
 * For an attacker to successfully use this vulnerability, the user must reply to or forward the malicious message.



CAUSE
This problem can occur because of a flaw in how the WordMail editor handles scripting that is contained in HTML when a user replies to or forwards the message. In certain circumstances, the scripting is handled in an unsafe manner and is run without warning the user.



Outlook 2002
The patch for this problem is included in the &quot;Word 2002 Update: April 25, 2002&quot;. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

320441 WD2002: Overview of Word 2002 Update: April 25, 2002

The English-language version of this fix has the file attributes (or later) that are listed in the following table:

  Version          Size        File name 10.00.4009.0000 10,582,344  Winword.exe

Outlook 2000
The patch for this problem is included in the &quot;Word 2000 Update: April 25, 2002&quot;. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

320536 WD2000: Overview of Word 2000 Update: April 25, 2002

The English-language version of this fix has the file attributes (or later) that are listed in the following table:

  Version     Size       File name --  9.0.0.6328  8,814,644  Winword.exe



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

Additional query words: security_patch

Keywords: kbbug kbfix kbofficexppresp2fix kbqfe kbsecurity kboffice2000presp3fix kbofficexpsp2fix KB321804

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.