MS Outlook "Cache Bypass" allows attackers to circumvent Internet Zone security policy

Overview

Microsoft has recently released Microsoft Security Bulletin MS00-046, in which they announced a patch for the “Cache Bypass” vulnerability. By exploiting this vulnerability, an attacker can use an HTML-formatted message to read certain types of files on the victim’s machine.

In addition, because this vulnerability also allows the attacker to store files on the victim’s machine, it can be used in conjunction with existing vulnerabilities to execute arbitrary code on the target system.

Description

“Cache Bypass” Vulnerability

Typically, all files downloaded by either Outlook or Internet Explorer are stored in an area known as a cache. The cache serves two main purposes. First, it provides temporary storage for online content, which minimizes the amount of data that must be transferred when refreshing a page. Second, it provides an area where Internet content can be downloaded to the local machine and accessed with the same security policy as remote content.

This vulnerability allows attackers to use an HTML-formatted message to store files outside the cache. Inside the cache, the files are governed by the security policy of the “Internet Zone,” but outside they are governed by the “Local Computer Zone.” Once a file is stored in the “Local Computer Zone,” the security policy of the “Internet Zone” no longer applies to it. This could put systems at risk because the security policies of the “Local Computer Zone” are typically more permissive than those of the “Internet Zone.”

---

Impact

When exploited, this vulnerability allows an attacker to store an HTML file in an area that is not protected by the policies of the “Internet Zone.” This file may then be used to open arbitrary files on the victim’s machine and send their contents back to the attacker.

In addition, the “Cache Bypass” vulnerability could be used in conjunction with other vulnerabilities to allow an intruder to execute arbitrary code on the victim’s machine.

---

Solution

Microsoft has released Microsoft Security Bulletin MS00-046, which points to a patch for this vulnerability. We strongly encourage you to read this bulletin and apply the patch. MS00-046 is available at

http://www.microsoft.com/technet/security/bulletin/MS00-046.asp

Vendor Information

38950

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft __ Affected

Updated: October 06, 2000

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following systems are affected by this vulnerability:

* Any system running Microsoft Outlook Express 4.0 or 4.01
* Any system running Microsoft Outlook Express 5.0 or 5.01
* Any system running Microsoft Outlook 98
* Any system running Microsoft Outlook 2000 

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2338950 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1501&gt;
• <http://support.microsoft.com/support/kb/articles/q239/4/70.ASP&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS00-046.asp&gt;

Acknowledgements

The CERT Coordination Center thanks Microsoft for their assistance in developing this document.

This document was written by Jeffrey P Lanza.

Other Information

CVE IDs:	CVE-2000-0621
CERT Advisory:	CA-2000-14 Severity Metric: