Vulnerability Note VU#829876

Microsoft Outlook Web Access not may use correct HTTP directive

Original Release date: 09 May 2008 | Last revised: 28 Dec 2009

Overview

Some versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information.

Description

Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.

From RFC 2616:

    If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.
    If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.
Using the no-cache instead of the no-store directive may cause web browsers that closely follow RFC 2616 to store potentially sensitive information. Administrators are encouraged to verify that private resources operating over HTTP or HTTPs set appropriate caching control headers.

Impact

Sensitive information that is viewed during an Outlook Web Access session may be stored to disk.

Solution

We are unware of a solution for this problem.

Clear browser caches

Clearing browser caches frequently may mitigate this vulnerability by deleting data that was inadvertantly cached.

  • In Internet Explorer 7, click on Tools, Internet Options, Delete (under the Browsing history section), then Delete all.
  • For Firefox 2 and 3 see the Firefox Options window support page for information on how to automatically remove cached browser files.
  • In Safari 3.0, click Safari then Reset Safari.
  • In recent of versions of Opera, go to Tools, Preferences, Advanced, History and set the cache to Empty on exit.
  • For recent versions of the Konqueror browser, use the KControl module called Cache, then click on the Clear cache button.
Administrators should also considering securely erasing deleting browser caches before re-deploying or disposing of hard drives.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected06 Mar 200831 Mar 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Bill Knox from MITRE reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 May 2008
  • Date First Published: 09 May 2008
  • Date Last Updated: 28 Dec 2009
  • Severity Metric: 0.11
  • Document Revision: 28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.