Microsoft Multiple E-Mail Client Address Spoofing Vulnerability

Via the iDEFENSE Security Advisory 04.08.05:

I. BACKGROUND
Microsoft Outlook provides an integrated solution for managing and organizing e-mail messages, schedules, tasks, notes, contacts, and other information. More information is available here.

II. DESCRIPTION
Remote exploitation of an address spoofing vulnerability in various Microsoft Corp. e-mail clients could allow attackers to social engineer sensitive information from end users.

Microsoft Outlook and Microsoft Outlook Web Access (OWA) are widely deployed collaboration clients in corporate networks. The vulnerability specifically exists in message header parsing and allows an attacker to spoof the “From” field that is displayed on the user’s screen. Within the SMTP header, when the From field contains multiple comma-separated addresses, Outlook and OWA will only display the first address….

Microsoft Outlook as distributed with Office XP and 2003 as well as Outlook Web Access as distributed with Exchange 2003 have been confirmed as vulnerable. Prior versions are suspected to be affected as well.

Microsoft Outlook Express is not affected by this issue….

Microsoft has reviewed the issue and has made the determination that while a bug fix may be implemented in a future service pack, a security advisory/patch will not be released for this issue.

[Continue reading Microsoft Multiple E-Mail Client Address Spoofing Vulnerability]