copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » ESB-2008.0491 -- [Win] -- Potential security flaw in...
 

ESB-2008.0491 -- [Win] -- Potential security flaw in Outlook Web Access (OWA)
Date: 13 May 2008

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0491 -- [Win]
            Potential security flaw in Outlook Web Access (OWA)
                                13 May 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Outlook Web Access (OWA)
Publisher:            US-CERT
Operating System:     Windows
Impact:               Access Confidential Data
Access:               Existing Account

Original Bulletin:    http://www.kb.cert.org/vuls/id/829876

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#829876

Microsoft Outlook Web Access may not use the no-store HTTP directive

Overview

Some versions of Outlook Web Access (OWA) may use the no-cache instead of 
the no-store HTTP 1.1 directive. This results in web browsers caching 
sensitive information.

I. Description

Some versions of Outlook Web Access may use the Cache-Control: no-cache 
HTTP 1.1 directive.

- From RFC 2616:

      If the no-cache directive does not specify a field-name, then a cache 
      MUST NOT use the response to satisfy a subsequent request without 
      successful revalidation with the origin server. This allows an origin 
      server to prevent caching even by caches that have been configured to 
      return stale responses to client requests.
      If the no-cache directive does specify one or more field-names, then a 
      cache MAY use the response to satisfy a subsequent request, subject to 
      any other restrictions on caching. However, the specified 
      field-name(s) MUST NOT be sent in the response to a subsequent request 
      without successful revalidation with the origin server. This allows an 
      origin server to prevent the re-use of certain header fields in a 
      response, while still allowing caching of the rest of the response.

Using the no-cache instead of the no-store directive may cause web browsers 
that closely follow RFC 2616 to store potentially sensitive information.

II. Impact

Sensitive information that is viewed during an Outlook Web Access session 
may be stored to disk.

III. Solution

We are unware of a solution for this problem.

Clear browser caches

Clearing browser caches frequently may mitigate this vulnerability by 
deleting data that was inadvertantly cached.

    * In Internet Explorer 7, click on Tools, Internet Options, Delete 
      (under the Browsing history section), then Delete all.
    * For Firefox 2 and 3 see the Firefox Options window support page for 
      information on how to automatically remove cached browser files.
    * In Safari 3.0, click Safari then Reset Safari.
    * In recent of versions of Opera, go to Tools, Preferences, Advanced, 
      History and set the cache to Empty on exit.
    * For recent versions of the Konqueror browser, use the KControl module 
      called Cache, then click on the Clear cache button.

Administrators should also considering securely erasing deleting browser 
caches before re-deploying or disposing of hard drives.

Systems Affected

Vendor	                Status	        Date Updated
Microsoft Corporation	Vulnerable	31-Mar-2008

References


http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2
http://support.mozilla.com/en-US/kb/Options+window#Private_Data
http://docs.info.apple.com/article.html?path=Safari/3.0/en/9300.html
http://www.opera.com/support/tutorials/security/shared/
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Credit

Thanks to Bill Knox from MITRE reporting this vulnerability.

This document was written by Ryan Giobbi.
Other Information
Date Public	         05/09/2008
Date First Published	 05/09/2008 08:08:29 AM
Date Last Updated	 05/09/2008
CERT Advisory	 
CVE Name	 
US-CERT Technical Alerts	 
Metric	                 0.11
Document Revision	 22

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSCjQ2yh9+71yA2DNAQInjAQAgjLBXGLNvLxT361UrHMy+ag5OoomAwqu
YkNdyJ1IHSWy4lihUbyya8ffOZz9GI97KSxTF9QUw+WzatjBHOMmjgB7ZZ1KzjYX
Q6Le1sP4zIsCRAWNlM37jrQ/7+dCsuVaDv8K3riQoYKtZj81Ex4JZNkJt6/8hI21
BJQ6qdVoW5I=
=1/ec
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=9268