SECURITY.NNOV: Outlook Express address book vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2001-06-02T00:00:00


Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author : 3APA3A <> Affected : Outlook Exress 5.5SP1 and prior Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : SECURITY.NNOV advisories:


It's possible for remote user to cause messages written for one e-mail address to be delivered to another e-mail address.


Outlook Express has option "Automatically put people I reply to in my address book". Then enabled, this option causes Outlook to make automatically new address book entries mapping NAME of received message to e-mail ADDRESS. Then message is composed Outlook Express checks address book for NAME and sets complete e-mail ADDRESS instead.


Situation: 2 good users G1 and G2 with addresses and and one bad user B, Imagine B wants to get messages G1 sends to G2. Scenario:

  1. B composes message with headers:

From: "" <> Reply-To: "" <> To: G1 <> Subject: how to catch you on Friday?

and sends it to

  1. G1 receives mail, which looks absolutely like mail received from and replies it. Reply will be received by B. In this case new entry is created in address book pointing NAME "" to ADDRESS

  2. Now, if while composing new message G1 directly types e-mail address instead of G2, Outlook will compose address as "" <> and message will be received by B.


Disable "Automatically put people I reply to in my address book" option.


Microsoft was contacted, accepted problem and replied it's impossible to fix it until next IE 5.5 SP.


No yet.