Microsoft Outlook View Control allows execution of arbitrary code and manipulation of user data

Overview

A vulnerability exists in an ActiveX control supplied with Microsoft Outlook 2002 that could allow malicious code on a web page or in an HTML email message to manipulate Outlook data or execute arbitrary code as the user running Outlook.

Description

Microsoft Outlook 2002 installs an ActiveX control called ‘Microsoft Outlook View Control’. Microsoft Outlook (and the Outlook View Control) may be installed as part of Microsoft Office. In addition, the Outlook View Control is independently available for download from Microsoft. Outlook Express is also vulnerable if the Outlook View Control is present on the system.

The Outlook View Control provides access to Outlook data such as email, contacts, and calendar information. The control should provide read-only access to Outlook data, but in reality it exposes programming elements that allow the manipulation of Outlook data and, more importantly, the execution of arbitrary code with the privileges of the user running Outlook. To exploit this vulnerability, an attacker might convince a user to visit a web page or open an HTML email message containing malicious script code that invokes the control. The control is implemented in Outlook 2002 in the file OUTLCTL.DLL and independently in OUTLCTLX.DLL and is referenced by its class identifier (CLSID): 0006F063-0000-0000-C000-000000000046.

The Outlook View Control may be invoked in a number of ways including script (ECMAScript/Javascript, VBScript) or Java code delivered via HTML.

---

Impact

In Outlook 2002, arbitrary code can be executed with the privileges of the user running Outlook. Also, email, calendar, and contact information accessible via Outlook can be read, modified, and/or deleted. In previous versions of Outlook, a user’s folder view may be manipulated. According to Microsoft Security Bulletin MS01-038: “In an Outlook 2002 client, this [vulnerability] could enable an attacker to delete mail, change calendar information, or take virtually any other action, including running arbitrary code on the user’s machine. In contrast, in Outlook 98 and 2000 the attacker could use the control to manipulate the user’s folder view, but could not use it to read, change or delete data, or to run code on the user’s machine.”

---

Solution

Apply Patch
Apply the appropriate patch from Microsoft.
Outlook 2002:
<http://office.microsoft.com/downloads/2002/OLK1003.aspx&gt;
Outlook 2000:
<http://office.microsoft.com/downloads/2000/outlctlx.aspx&gt;[](&lt;http://www.microsoft.com/technet/security/bulletin/ms01-038.asp&gt;)

Note that these patches do not set the “kill bit” on the vulnerable ActiveX control and the control is signed by Microsoft. Depending on zone security settings, it could be possible to install a vulnerable version of the ActiveX control on a system that does not already have the control installed.

---

To further protect against malicious code contained in email, install the Outlook Security Update and the Java Permissions Security update.

Outlook 2002:
Outlook 2002 includes the Outlook Security Update and disables Java in the ‘Restricted sites’ zone.
Outlook 2000:
<http://office.microsoft.com/downloads/2000/Out2ksec.aspx&gt;
<http://office.microsoft.com/downloads/2000/o2kiefrm.aspx&gt;
Outlook 98:
<http://office.microsoft.com/downloads/9798/Out98sec.aspx&gt;
<http://office.microsoft.com/downloads/9798/o98iefrm.aspx&gt;
Disable ActiveX controls, Active scripting, and Java
Disable ActiveX controls, Active scripting, and Java in the ‘Internet’ zone.
Follow the steps under the heading ‘Using Internet Explorer 5’:
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps&gt;
Disable ActiveX controls, Active scripting, and Java in the ‘Restricted sites’ zone, and configure Outlook to use the ‘Restricted sites’ zone.

Filter Email Messages
Create a client rule in Outlook 2000 or Outlook 2002 to quarantine or delete messages containing script code.

Filter Script Code
It may be possible to use an application layer filter to detect and block or disable script code within HTML data.

---

Vendor Information

131569

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: August 24, 2001

Status

Affected

Vendor Statement

Microsoft has released Microsoft Security Bulletin MS01-038. On August 16, 2001 Microsoft released an updated version of the bulletin and patches for Outlook 2002 and Outlook 2000.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131569 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.guninski.com/vv2xp.html&gt;
• <http://www.guninski.com/signedactivex2.html&gt;
• http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=862
• <http://www.securityfocus.com/bid/3025&gt;
• <http://www.securitytracker.com/alerts/2001/Jul/1001987.html&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms01-038.asp&gt;
• <http://support.microsoft.com/support/kb/articles/Q291/4/07.ASP&gt;
• <http://support.microsoft.com/support/kb/articles/Q291/7/91.asp&gt;
• <http://support.microsoft.com/?scid=/support/kb/articles/q303/8/33.asp&gt;
• <http://support.microsoft.com/?scid=/support/kb/articles/q303/8/35.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&gt;
• <http://www.ecma-international.org/publications/standards/ECMA-262.HTM&gt;

Acknowledgements

The CERT Coordination Center thanks Georgi Guninski, Russ Cooper of TrueSecure/NTBugTraq, and Microsoft Product Security for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2001-0538
Severity Metric:	10.24 Date Public: