|
Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness
|
|
Secunia Advisory:
|
SA12376
|
|
|
Release Date:
|
2004-08-25
|
|
Last Update:
|
2004-12-30
|
|
Popularity:
|
26,505 views
|
|
|
Critical:
|
 Not critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Microsoft Outlook Express 6
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
Description: Juha-Matti Laurio has reported a weakness in Outlook Express, which may disclose email addresses in "BCC:" fields to other recipients.
The weakness is caused due to an error when sending multipart messages. This may allow recipients in the "To:" and "CC:" fields to see the email addresses of recipients in the "BCC:" field.
In Outlook Express, this requires users to open the email message in a editor. In Lotus Notes and certain web-based email applications, the "BCC:" recipients are displayed directly in the message body without having to open it in an editor.
Successful exploitation requires that the user sending the email has configured Outlook Express to break apart emails larger than a size specified with the "Break apart messages larger than" setting (not enabled by default) for the used email account.
Solution: An update is available via the Microsoft Windows Update web site.
http://windowsupdate.microsoft.com/
Provided and/or discovered by: Juha-Matti Laurio
Changelog: 2004-08-30: Added information about web-based systems.
2004-12-30: Updated "Solution" section.
Original Advisory: Microsoft Knowledge Base Article - 843555:
http://support.microsoft.com/kb/843555
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|