CVE-2000-0653
CVSS5.0
发布时间 :2000-07-20 00:00:00
修订时间 :2008-09-10 15:05:32
NMCS    

[原文]Microsoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability.


[CNNVD]Microsoft Outlook Express的持续邮件浏览器的链接漏洞(CNNVD-200007-056)

        Microsoft Outlook Express存在漏洞。远程攻击者通过创建一个到Outlook Express窗口的持续浏览链接监测用户的电子邮件。又称为"Persistent Mail-Browser Link"漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:outlook_express:4.0Microsoft outlook_express 4.0
cpe:/a:microsoft:outlook_express:4.01Microsoft outlook_express 4.01
cpe:/a:microsoft:outlook_express:5.0Microsoft outlook_express 5.0
cpe:/a:microsoft:outlook_express:5.0.1Microsoft outlook_express 5.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0653
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0653
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-056
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1502
(VENDOR_ADVISORY)  BID  1502
http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
(VENDOR_ADVISORY)  MS  MS00-045

- 漏洞信息

Microsoft Outlook Express的持续邮件浏览器的链接漏洞
中危 设计错误
2000-07-20 00:00:00 2005-10-20 00:00:00
远程※本地  
        Microsoft Outlook Express存在漏洞。远程攻击者通过创建一个到Outlook Express窗口的持续浏览链接监测用户的电子邮件。又称为"Persistent Mail-Browser Link"漏洞。

- 公告与补丁

        Perform a default installation of Microsoft Internet Explorer 5.01 Service Pack 1, or Microsoft Internet Explorer 5.5 on any system except Windows 2000. Microsoft has released patches for the affected software for those who do not wish to upgrade, available at
        http://www.microsoft.com/windows/ie/download/critical/patch9.htm

- 漏洞信息

Microsoft Outlook Express Persistent Mail-Browser Link Vulnerability
Design Error 1502
Yes Yes
2000-07-20 12:00:00 2009-07-11 02:56:00
Details of this vulnerability were released in Microsoft Security Bulletin MS0-045 released on July 20, 2000.

- 受影响的程序版本

Microsoft Outlook Express 5.5
+ Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
+ Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
+ Microsoft Internet Explorer 5.0.1 for Windows 98
+ Microsoft Internet Explorer 5.0.1 for Windows 98
+ Microsoft Internet Explorer 5.0.1 for Windows 95
+ Microsoft Internet Explorer 5.0.1 for Windows 95
+ Microsoft Internet Explorer 5.0.1 for Windows 2000
+ Microsoft Internet Explorer 5.0.1 for Windows 2000
+ Microsoft Internet Explorer 5.0.1
+ Microsoft Internet Explorer 5.0.1
+ Microsoft Internet Explorer 5.5
+ Microsoft Internet Explorer 5.5
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 不受影响的程序版本

Microsoft Outlook Express 5.5
+ Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
+ Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
+ Microsoft Internet Explorer 5.0.1 for Windows 98
+ Microsoft Internet Explorer 5.0.1 for Windows 98
+ Microsoft Internet Explorer 5.0.1 for Windows 95
+ Microsoft Internet Explorer 5.0.1 for Windows 95
+ Microsoft Internet Explorer 5.0.1 for Windows 2000
+ Microsoft Internet Explorer 5.0.1 for Windows 2000
+ Microsoft Internet Explorer 5.0.1
+ Microsoft Internet Explorer 5.0.1
+ Microsoft Internet Explorer 5.5
+ Microsoft Internet Explorer 5.5
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

From the Microsoft Advisory (MS00-045): By design, HTML mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. Also by design, script in the browser window could read the HTML mail that is displayed in Outlook Express. However, a vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user. There are several significant restrictions on this vulnerability: 1) Only the recipient could open the HTML mail that established the link. 2) The attack would only persist until the user either closed the browser window that the HTML mail opened, or closed Outlook Express. 3) The malicious user could only read mails that were displayed in the preview pane. If the preview pane features were disabled, he could not read mails under any conditions.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Perform a default installation of Microsoft Internet Explorer 5.01 Service Pack 1, or Microsoft Internet Explorer 5.5 on any system except Windows 2000. Microsoft has released patches for the affected software for those who do not wish to upgrade, available at http://www.microsoft.com/windows/ie/download/critical/patch9.htm

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站