COMMAND

    Outlook Express

SYSTEMS AFFECTED

    Outlook Express 5.5SP1 and prior

PROBLEM

    '3APA3A' found following.  It's possible for remote user to  cause
    messages written for one e-mail address to be delivered to another
    e-mail address.

    Outlook Express has  option "Automatically put  people I reply  to
    in my address book".  When enabled, this option causes Outlook  to
    make  automatically  new  address  book  entries  mapping  NAME of
    received  message  to  e-mail  ADDRESS.   Then message is composed
    Outlook Express  checks address  book for  NAME and  sets complete
    e-mail ADDRESS instead.

    Situation: 2 good users G1  and G2 with addresses g1@mail.com  and
    g2@mail.com and one  bad user B,  b@mail.com.  Imagine  B wants to
    get messages G1 sends to G2.  Scenario:
    1. B composes message with headers:

        From: "g2@mail.com" <b@mail.com>
        Reply-To: "g2@mail.com" <b@mail.com>
        To: G1 <g1@mail.com>
        Subject: how to catch you on Friday?

       and sends it to g1@mail.com
    2. G1  receives mail,  which looks  absolutely like  mail received
       from g2@mail.com and replies it.  Reply will be received by  B.
       In this case new entry is created in address book pointing NAME
       "g2@mail.com" to ADDRESS b@mail.com.
    3. Now, if  while composing new  message G1 directly  types e-mail
       address g2@mail.com instead of G2, Outlook will compose address
       as "g2@mail.com" <b@mail.com> and  message will be received by
       B.

    Effectively, the  software is  doing *exactly*  what it's supposed
    to:   Allow individuals  to be  mailed according  to their  chosen
    name  instead  of  their  direct  email  address.   But since it's
    rendering chosen names  in the exact  same manner as  the fallback
    direct  address,  by  *choosing*  a  name  that  *appears* to be a
    fallback  address  one  can  choose  to  be  any name they want to
    be--and since  Outlook Express  gives higher  precedence to chosen
    names than  it does  to direct  emails, the  wrong person  will be
    mailed every time and the user can be none the wiser.  After  all,
    pixel for pixel, *everything* is doing just what it should.

    Now, email spoofing has existed  for a long time, but  hasn't been
    abused  much  since  one  can  only  *send*  spoofed messages, not
    receive their  replies.   Even Reply-To  manipulation shows  up in
    one way or another...but not this.  This is totally invisible!

    Incidentally,  *nothing*  prevents  messages  from  being  further
    forwarded once they've been illicitly  received.  This may be  one
    of the  more dangerous  methods of  executing a  man in the middle
    attack with email alone.

SOLUTION

    Disable "Automatically put people I  reply to in my address  book"
    option.   Microsoft was  contacted, accepted  problem and  replied
    it's impossible to fix it until next IE 5.5 SP.