--- OVERVIEW --- A small bug showed up casually in Outlook Express, localized italian version. This bug leads to incorrect visualization of a plain text e-mail message. There is no evidence that this could lead to any compromise directly, however it could be used to avoid some e-mail content filters in place (for example those concerned with the file://con/con and similar link-based bugs) --- AFFECTED VERSIONS --- From our tests: Outlook Express version 5.50.4522.1200 ITALIAN is AFFECTED Outlook Express version 5.00.2919.6600 ITALIAN is AFFECTED Outlook Express version 5.50.4522.1200 ENGLISH is NOT affected Outlook Express version 5.50.4133.2400 ITALIAN is NOT affected Microsoft has acknowledged this bug at first only on international versions, then as a standard feature in IE/OE. I lack confirmation about version 6.0 being or not vulnerable. --- DESCRIPTION OF BEHAVIOUR --- The "bug" shows up in two different ways: - when the user is trying to compose a message, he simply can NOT type something like "// ANYTHING" (without the blank character intermission), because it is immediately transformed into "file://" format. While this has NOT security implication, it is an obvious problem if you are writing, for example, a JavaScript piece of code and you want to include the <-- // --> block for hiding it from JavaScript-impaired browsers (again, there is an additional space inserted). By the way, this is how I discovered the problem, and by the way again, I cannot write you correctly what I mean since Outlook Express won't let me ^_^ - when the user receives an e-mail containing such a string, it is displayed in the "file://" format, although taking a look to the raw format through "file - properties - details - original message" shows the correct form of the string. Thus, if a malicious user sends (not using outlook :) an e-mail containing just // and the infamous string con/con (if you are wondering, yes, they are separated to allow me to write them), the rendered output would be file://con/con , but a procmail filter, for instance, set up to intercept all file:// references would not be triggered by the e-mail message. Curious add-on: if you watch the screen carefully, you can actually see the CORRECT form (without file:// ) being displayed for a few fractions of second before it changes... strange. --- CONCLUSIONS --- This small bug does not pose any real security risk, in my opinion - please, don't tell me it is not threatening, I definitely know that by myself. But I wish to report something which in my opinion is quite strange. Microsoft ( secureat_private ) has at first claimed to be unable to reproduce the bug, then, provided with further details, has answered: "You are right, it is a localized feature. From talking with our developers what you are seeing is by design." The latest version was: "We are unable to verify...we'll get back in touch with you", but it was just about a month ago, so I tought I could as well disclose this small flaw and go on with something more important... However, I am still wondering WHY this "feature" should be added, by design, into Italian language version and not into other product. What does this "design" fix, actually ? Will anybody answer me ? Thanks in advance ;) Stefano "Raistlin" Zanero System Administrator Gioco.Net public PGP key block at http://gioco.net/pgpkeys
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 14:36:53 PST