Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0491 -- [Win] Potential security flaw in Outlook Web Access (OWA) 13 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Outlook Web Access (OWA) Publisher: US-CERT Operating System: Windows Impact: Access Confidential Data Access: Existing Account Original Bulletin: http://www.kb.cert.org/vuls/id/829876 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#829876 Microsoft Outlook Web Access may not use the no-store HTTP directive Overview Some versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information. I. Description Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive. - From RFC 2616: If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests. If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response. Using the no-cache instead of the no-store directive may cause web browsers that closely follow RFC 2616 to store potentially sensitive information. II. Impact Sensitive information that is viewed during an Outlook Web Access session may be stored to disk. III. Solution We are unware of a solution for this problem. Clear browser caches Clearing browser caches frequently may mitigate this vulnerability by deleting data that was inadvertantly cached. * In Internet Explorer 7, click on Tools, Internet Options, Delete (under the Browsing history section), then Delete all. * For Firefox 2 and 3 see the Firefox Options window support page for information on how to automatically remove cached browser files. * In Safari 3.0, click Safari then Reset Safari. * In recent of versions of Opera, go to Tools, Preferences, Advanced, History and set the cache to Empty on exit. * For recent versions of the Konqueror browser, use the KControl module called Cache, then click on the Clear cache button. Administrators should also considering securely erasing deleting browser caches before re-deploying or disposing of hard drives. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 31-Mar-2008 References http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2 http://support.mozilla.com/en-US/kb/Options+window#Private_Data http://docs.info.apple.com/article.html?path=Safari/3.0/en/9300.html http://www.opera.com/support/tutorials/security/shared/ http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software Credit Thanks to Bill Knox from MITRE reporting this vulnerability. This document was written by Ryan Giobbi. Other Information Date Public 05/09/2008 Date First Published 05/09/2008 08:08:29 AM Date Last Updated 05/09/2008 CERT Advisory CVE Name US-CERT Technical Alerts Metric 0.11 Document Revision 22 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSCjQ2yh9+71yA2DNAQInjAQAgjLBXGLNvLxT361UrHMy+ag5OoomAwqu YkNdyJ1IHSWy4lihUbyya8ffOZz9GI97KSxTF9QUw+WzatjBHOMmjgB7ZZ1KzjYX Q6Le1sP4zIsCRAWNlM37jrQ/7+dCsuVaDv8K3riQoYKtZj81Ex4JZNkJt6/8hI21 BJQ6qdVoW5I= =1/ec -----END PGP SIGNATURE-----