OVERVIEW
A small bug showed up casually in Outlook Express, localized italian version. This bug leads to incorrect visualization of a plain text e-mail message. There is no evidence that this could lead to any compromise directly, however it could be used to avoid some e-mail content filters in place (for example those concerned with the file://con/con and similar link-based bugs)
This advisory has been slightly modified since it was posted on BugTraq
AFFECTED VERSIONS
From our tests:
Outlook Express version 5.50.4522.1200 ITALIAN is AFFECTED
Outlook Express version 5.00.2919.6600 ITALIAN is AFFECTED
Outlook Express version 5.50.4522.1200 ENGLISH is NOT affected
Outlook Express version 5.50.4133.2400 ITALIAN is NOT affected
Microsoft has acknowledged this bug at first only on international versions, then as a standard "feature" in IE/OE. I lack confirmation about version 6.0 being or not vulnerable.
DESCRIPTION OF BEHAVIOUR
The "bug" shows up in two different ways:
- When the user is trying to compose a message, he simply can NOT type something like "//ANYTHING", because it is immediately transformed into "file://ANYTHING". While this has NOT security implication, it is an obvious problem if you are writing, for example, a JavaScript piece of code and you want to include the <-- //--> block for hiding it from JavaScript-impaired browsers. By the way, this is how I discovered the problem...
- When the user receives an e-mail containing such a string, it is displayed in the "file://" format, although taking a look to the raw format through "file - properties - details - original message" shows the correct form of the string. Thus, if a malicious user sends (not using outlook, because as I said before... that's plainly impossible) an e-mail containing just //con/con the rendered output would be file://con/con , but a procmail filter, for instance, set up to intercept all file:// references would not be triggered by the e-mail message.
Curious add-on: if you watch the screen carefully, you can actually see the CORRECT form (without file:// ) being displayed for a few fractions of second before it changes... strange.
CONCLUSIONS
This small bug does not pose any real security risk, in my opinion. But I wish to report something which in my opinion is quite strange.
Microsoft ( secure@microsoft.com ) has at first claimed to be unable to reproduce the bug, then, provided with further details, has answered: "You are right, it is a localized feature. From talking with our developers what you are seeing is by design."
The latest version was: "We are unable to verify...we'll get back in touch with you", but it was just about a month ago, so I tought I could as well disclose this small flaw and go on with something more important...
However, I am still wondering WHY this "feature" should be added, by design, into Italian language version and not into other product. What does this "design" fix, actually ?
This question was openly posted on BugTraq months ago. Still no answer.