MS Word runs malicious e-mail scripts
April 26, 2002
If you've chosen MS Word for your e-mail editor in Outlook 2000 or 2002, you'll need to patch a flaw which enables script execution when a malicious memo is replied to or forwarded.
Outlook blocks scripts when an HTML e-mail is viewed; but when Word is the editor, replying or forwarding calls it in an unprotected mode, and it then allows the script to run. Essentially, Word behaves as if a new memo were being created, a situation where security wouldn't be an issue. The actual flaw, then, is a failure to distinguish between a user's own e-mail and his modifications to someone else's.
The consequences of exploitation here are running arbitrary code on the local machine with the user's level of privilege.
As usual, MS provides an extremely vague description of the exploit, calling it only a "specially malformed HTML e-mail," so we can't tell you anything about the likelihood of exploiting other versions of Outlook with this little oversight. We also can't verify that the patches work as advertised. But none of that is necessary, now that Trustworthy Computing is in force.
The MS bulletin, along with links to the patches, is posted here.
by Thomas C Greene in Washington. Copyright © 2001 The Register