Juha-Matti Laurio has reported a weakness in Outlook Express, which may disclose email addresses in "BCC:" fields to other recipients.
The weakness is caused due to an error when sending multipart messages. This may allow recipients in the "To:" and "CC:" fields to see the email addresses of recipients in the "BCC:" field.
In Outlook Express, this requires users to open the email message in a editor. In Lotus Notes and certain web-based email applications, the "BCC:" recipients are displayed directly in the message body without having to open it in an editor.
Successful exploitation requires that the user sending the email has configured Outlook Express to break apart emails larger than a size specified with the "Break apart messages larger than" setting (not enabled by default) for the used email account.
Solution: An update is available via the Microsoft Windows Update web site.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.