Outlook View Control Exposes Unsafe Functionality

Originally posted: July 12, 2001

Summary

Who should read this bulletin: Customers using Microsoft® Outlook 98, 2000 or 2002.

Impact of vulnerability: Run code of attacker's choice via either web page or HTML e-mail.

Recommendation: Customers should ensure they have installed the Outlook E-mail Security Update and should temporarily disable ActiveX controls in the IE Internet Zone.

Affected Software:

• Microsoft Outlook 98
• Microsoft Outlook 2000
• Microsoft Outlook 2002

Technical details

Technical description:
The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine.

Hostile web sites would pose the greatest threat with respect to this vulnerability. If a user could be enticed into visiting a web page controlled by an attacker, script or HTML on the page could invoke the control when the page was opened. The script or HTML could then use the control to take whatever action the attacker desired on the user's Outlook data.

It also would be possible for the attacker to send an HTML e-mail to a user, with the intent of invoking the control when the recipient opened the mail. However, the Outlook E-mail Security Update, that automatically installs as part of Outlook 2002 would thwart such an attack. The Update causes HTML e-mails to be opened in the Restricted Sites Zone, where ActiveX controls are disabled by default.

Microsoft is preparing a patch that will eliminate the vulnerability. However, while this patch is under development, we recommend that customers disable ActiveX controls in the Internet Zone to protect against the web-based scenario discussed above. (The FAQ provides information on how administrators can use Group Policy to make this configuration change network-wide). To protect against the mail-borne scenario, we strongly recommend that Outlook 98 and 2000 users install the Outlook E-mail Security Update if they haven’t already done so. When the patch is complete, Microsoft will re-release this bulletin and provide details on where to obtain the patch and how to use it.

Mitigating factors:

• The previously-released Outlook E-mail Security Update that is integrated into Outlook 2002 would prevent this vulnerability from being exploited via e-mail in all affected Outlook versions.
• The vulnerability provides no capability for the attacker to force a user to visit a web page that exploits it.

Vulnerability identifier: CAN-2001-0538

Tested Versions:
Microsoft tested Outlook 98, 2000 and 2002 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Frequently asked questions

The Summary section discusses a configuration change rather than a patch. Why isn’t there a patch available for this issue?

The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

We have a patch underway, and will release it as soon as possible. In the meantime, the temporary workaround procedure discussed below will enable customers who are concerned about this issue to protect their systems. When the patch is complete, we will re-release this bulletin and provide information on how to obtain it.

What's the scope of this vulnerability?

This vulnerability could enable an attacker to take any desired action via Outlook. This could include reading or deleting mail, changing calendar or contact information, or any other action that can be taken via Outlook including the possibility of running arbitrary code on the user's machine.

In order to exploit the vulnerability, the attacker would need to either lure a user to a particular web site or send a specially-designed e-mail to the user. In the first scenario, the attacker couldn’t compel the user to visit the site. In the second scenario, a security update that has been available for over a year would fully protect the user’s system.

What causes the vulnerability?

The vulnerability results because an ActiveX control installed by Outlook exposes an unsafe function that could enable an attacker to run any desired code on another user’s system.

What's ActiveX?

ActiveX is a technology that enables developers to write small programs called controls, that can be used by web pages, Visual Basic programs, and other applications. An ActiveX control performs a small number of related tasks, and can be used as building blocks in much more complex programs.

Developers can build custom ActiveX controls; if this is done, the controls must be distributed to each user. However, Microsoft and many third-party software vendors ship ActiveX controls with their products, to enable these products to be easily extended. The vulnerability in this case involves an ActiveX control that installs by default as part of Outlook 2002, but also affects Outlook 98 and 2000.

What is the ActiveX control at issue here?

The control is called the Microsoft Outlook View Control. Its purpose is to allow information from Outlook to be displayed, usually within a web browser. For instance, using this control, a web page could show a user the contents of her Outlook inbox.

What's wrong with the control?

The control provides a function that could enable the web page to do more than simply display information for the user – it could enable it to take action within Outlook, including manipulating any of the user's Outlook data, such as mail, calendar information, contacts, and so forth.

What would this enable the attacker to do?

An attacker who successfully exploited this vulnerability could take virtually any action that can be taken via Outlook. Examples include creating, deleting or changing mail, adding new appointments, modifying contacts, and potentially up to running arbitrary code on the user's machine.

How could the attacker exploit the vulnerability?

The attacker would need to create a web page that, when opened, would invoke the control and misuse the function we discussed above. The attacker would likely use either of two strategies to cause another user to open the page.

• He could host the page on a web site he controlled. If a user visited the site and opened the web page, the page would attempt to invoke the control.
• He could send the user a link to a malicious web page via e-mail. When the recipient clicks on the link, it would attempt to invoke the control on the malicious web site.

In both of the scenarios, you said the web page would attempt to invoke the control. What’s the significance of the word "attempt"?

You can control whether web pages are allowed to invoke ActiveX controls. If you've configured your system to prevent this, the web page couldn't invoke the control, and the attacker couldn't exploit the vulnerability.

What determines whether a web page can invoke ActiveX controls?

IE provides the ability to configure exactly what web pages can do, based on the Security Zone that a particular web page resides in. One of the settings determines whether pages can invoke ActiveX controls.

Microsoft is building a patch that will completely eliminate this vulnerability. But until that patch is available, we recommend that customers disable ActiveX controls in certain Security Zones in order to protect their systems. Once the patch is released, you'll be able to re-enable ActiveX controls again.

What zones should I disable ActiveX controls in, and how do I do this?

At a minimum, you should disable them in the Internet Zone. This is the zone that all web sites on the Internet are categorized in by default. If you wish, you can also disable them in the Intranet and Trusted Sites Zones. (By default, they’re already disabled in the Restricted Sites Zone). To disable ActiveX controls in the Internet Zone, follow these steps.

1. In Internet Explorer, choose Tools, then Options.
2. Select the Security tab
3. Click on the icon labeled "Internet", then click the button labeled "Custom Level".
4. Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Disable", then click OK to return to the Options page.
5. Click OK again to close the Options page.

To disable ActiveX controls in other zones, follow the same instructions but choose the Intranet, Trusted Sites, or Restricted Sites icon in Step 3.

Would disabling ActiveX controls in IE protect me against the mail-borne scenario you described?

Yes. HTML e-mails are web pages so, even though they're opened in Outlook, they're subject to the security settings you've selected via IE. By default, Outlook 98 and 2000 opens HTML e-mails in the Internet Zone; Outlook 2002 opens them in the Restricted Sites Zone. Thus, Outlook 98 and 2000 users would be protected if they followed the instructions above and disabled ActiveX controls in the Internet or Local Intranet Zone; Outlook 2002 users are protected by default.

But there’s a better solution. The Outlook E-mail Security Update changes how Outlook 98 and 2000 handle HTML e-mails, and causes them to open the mails in the Restricted Sites Zone, where ActiveX controls are already disabled. (The Update is automatically installed as part of Outlook 2002). The Update makes other changes as well, that protect against e-mail viruses. So, if you’ve installed the Update, you’re protected against both e-mail viruses and an element of this vulnerability; if you haven’t, this vulnerability is a good reason to install it today.

I'm a system administrator, and would like to disable ActiveX controls on all my users’ machines automatically. Can I do this?

Yes. The procedure to use depends on the operating system you’re using:

• Windows 2000 networks using Active Directory. You can use Group Policy to automatically push the settings to all users the next time they log on. To do this, follow these steps:

1. Create a Group Policy object at the Site, Domain or Organizational Unit level.
2. Choose User Configuration | Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Maintenance.
3. Click the radio button titled "Import the current security zones settings", then click on "Modify Settings"
4. Click on the icon labeled “Internet”, then click the button labeled "Custom Level".
5. Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Disable", then click OK twice to return to the Group Policy dialogue.

• All other operating systems. Use the IE Administration Kit's Profile Manager to create an update package with the desired security settings. Once this has been done, users can either use a URL or an AutoConfig URL (which would have been specified during the initial IE setup) to automatically update the settings. For more information on doing this, see http://www.microsoft.com/windows/ieak/en/default.asp.
  • A patch is under development and will be released shortly.

Additional information about this patch

Installation platforms:
This workaround can be used on any affected system.

Inclusion in future service packs:
The fix for this issue will be included in Office XP Service Pack 1.

Reboot needed: No

Superseded patches: None.

Verifying patch installation:
This information will be available when the patch is complete.

Caveats:
None

Localization:
The workaround can be used regardless of the language version.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site
• All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site.

Other information:

Support:

• Microsoft Knowledge Base articles Q303833 and Q303835 discussing this issue will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (July 12, 2001): Bulletin Created.