<!DOCTYPE vdbentry SYSTEM "vulner.dtd">
<vdbentry refer="V-NUMBER">
<title>
Outlook Cache Bypass
</title>
<desc>
<short>
A web page included inline as part of email
can be stored on disk outside the Internet Zone
</short>
<long>
If Outlook or Outlook Express interpret
an HTML mail message page that creates a second page on ithe same system,
that second page can be created either in the browser's cache or on disk.
When the file is created, if it is created
in the cache, it is in the Internet Zone and
is constrained by those policy settings. But if it is created on disk,
the disk file falls into the Local Intranet Zone (Local Computer Zone)
and is constrained by those policy settings.
In particular, the Internet Zone by default prevents anything executing
in it from accessing local system files except for those in the cache.
The Local Intranet Zone (Local Computer Zone) does not restrict this.
</long>
<comp>
Inetcomm.dll;
Msoe.dll;
Msoert2.dll;
Microsoft Outlook Express 4.0, 4.01, 5.0, 5.01;
Microsoft Outlook 98, 2000;
Not vulnerable:
Outlook Express 5.5
</comp>
<os>
Windows NT 4.0, 95, 98, 2000
</os>
<veffect aswho="user" cando="read">
The attacker creates a Trojan horse that,
when triggered, lets the attacker read files
on the user's system.
</veffect>
<vdetect>
Check your version of Outlook Express.
If you are running Outlook Express 4.01 SP2 (version 4.72.3612.1700),
Outlook Express 5.01 not on Windows 2000 (version 5.00.2919.6600),
or Outlook Express 5.01 on Windows 2000 (version 5.00.2919.6700),
or any earlier versions, you are vulnerable.
</vdetect>
<vfix>
<tech>
Install the patch
<step>
Be sure you are running Internet Explorer 4.01 SP2 or Internet Explorer 5.01
or later. The patch requires this to install.
<step>
Download the patch for your version of
<href url="http://www.microsoft.com/windows/ie/download/critical/patch9.htm">Outlook or Outlook Express&lkt;href>
and install it.
<
If you are using any system other than Windows 2000,
install Internet Explorer 5.
01 SP1 or Internet Explorer 5.5. This eliminates
the vulnerability.
<tech>
If you are using Windows 2000, install Windows 2000 SP1.
</vfix>
<vother>
</vother>
</desc>
<keyword>
email,
Trojan horse,
web page
</keyword>
<cat>
<pa>
&init;, &choice;
</pa>
<risos>
&iaa;
</risos>
<cve>
<cvenum refer="CAN-2000-0621">
Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow
remote attackers to read files on the client's system via a malformed HTML
message that stores files outside of the cache, aka the "Cache Bypass"
vulnerability.
</cvenum>
</cat>
<exploit>
EXPLOIT GENERAL INFORMATION
<attack>
POINTERS TO ATTACKS
</attack>
</exploit>
<relinfo>
Microsoft Knowledge Base article
<href url="http://www.microsoft.com/technet/support/kb.asp?ID=247638">Q247638,
Cache Bypass Vulnerability Fix Available</href>
<li>CERT Advisory
^lt;href url="http://www.cert.org/advisories/CA-2000-14.html">CA-2000-14,
Microsoft Outlook and Outlook Express Cache Bypass Vulnerability<href>
<adv>
<ul>
<li>Microsoft Security Bulletin
<href url="http://www.microsoft.com/technet/security/bulletin/MS00-046.asp">MS00-046<href>
&/ul>
</adv>
<ovn>
</ovn>
</relinfo>
<history>
<report>
<reporter>
Microsoft
</reporter>
<where>
Microsoft Security Bulletin MS00-046
</where>
<when>
July 20, 2000
</when>
<what>
reported the error
</report>
</history>
<revision revno=1>
<changes m=8 d=3 y=2000 who="Matt Bishop">
Initial entry
</changes>
</revision>
</vdbentry>