Description
Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.
Products
- Microsoft Outlook 2000
- Microsoft Outlook 2000 sp2
- Microsoft Outlook 2000 sp3
- Microsoft Outlook 2000 Service Pack 4
- Microsoft Outlook 2000 sr1
- Microsoft Outlook 97
- Microsoft Outlook 98
- Microsoft outlook_express 4.0
- Microsoft Outlook Express 4.27.3110
- Microsoft outlook_express 4.5
- Microsoft Outlook Express 4.72.2106
- Microsoft outlook_express 4.72.3120
- Microsoft Outlook Express 4.72.3612
- Microsoft outlook_express 5.0
- Microsoft outlook_express 5.5
- Microsoft outlook_express 5.5 sp1
- Microsoft outlook_express 5.5 sp2
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2001-1088, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2001-1088 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References