Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author : 3APA3A <3APA3A@security.nnov.ru> Affected : Outlook Exress 5.5SP1 and prior Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : http://www.microsoft.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
It's possible for remote user to cause messages written for one e-mail address to be delivered to another e-mail address.
Outlook Express has option "Automatically put people I reply to in my address book". Then enabled, this option causes Outlook to make automatically new address book entries mapping NAME of received message to e-mail ADDRESS. Then message is composed Outlook Express checks address book for NAME and sets complete e-mail ADDRESS instead.
Situation: 2 good users G1 and G2 with addresses firstname.lastname@example.org and email@example.com and one bad user B, firstname.lastname@example.org. Imagine B wants to get messages G1 sends to G2. Scenario:
From: "email@example.com" <firstname.lastname@example.org> Reply-To: "email@example.com" <firstname.lastname@example.org> To: G1 <email@example.com> Subject: how to catch you on Friday?
and sends it to firstname.lastname@example.org
G1 receives mail, which looks absolutely like mail received from email@example.com and replies it. Reply will be received by B. In this case new entry is created in address book pointing NAME "firstname.lastname@example.org" to ADDRESS email@example.com.
Now, if while composing new message G1 directly types e-mail address firstname.lastname@example.org instead of G2, Outlook will compose address as "email@example.com" <firstname.lastname@example.org> and message will be received by B.
Disable "Automatically put people I reply to in my address book" option.
Microsoft was contacted, accepted problem and replied it's impossible to fix it until next IE 5.5 SP.