Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Affected : Outlook Exress 5.5SP1 and prior Risk : Low/Average Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : http://www.microsoft.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories Description: It's possible for remote user to cause messages written for one e-mail address to be delivered to another e-mail address. Details: Outlook Express has option "Automatically put people I reply to in my address book". Then enabled, this option causes Outlook to make automatically new address book entries mapping NAME of received message to e-mail ADDRESS. Then message is composed Outlook Express checks address book for NAME and sets complete e-mail ADDRESS instead. Exploitation: Situation: 2 good users G1 and G2 with addresses [email protected] and [email protected] and one bad user B, [email protected] Imagine B wants to get messages G1 sends to G2. Scenario: 1. B composes message with headers: From: "[email protected]" <[email protected]> Reply-To: "[email protected]" <[email protected]> To: G1 <[email protected]> Subject: how to catch you on Friday? and sends it to [email protected] 2. G1 receives mail, which looks absolutely like mail received from [email protected] and replies it. Reply will be received by B. In this case new entry is created in address book pointing NAME "[email protected]" to ADDRESS [email protected] 3. Now, if while composing new message G1 directly types e-mail address [email protected] instead of G2, Outlook will compose address as "[email protected]" <[email protected]> and message will be received by B. Workaround: Disable "Automatically put people I reply to in my address book" option. Vendor: Microsoft was contacted, accepted problem and replied it's impossible to fix it until next IE 5.5 SP. Solution: No yet.