search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Outlook Web Access not may use correct HTTP directive

Vulnerability Note VU#829876

Original Release Date: 2008-05-09 | Last Revised: 2009-12-28

Overview

Some versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information.

Description

Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.

From RFC 2616:
If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.
If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.

Using the no-cache instead of the no-store directive may cause web browsers that closely follow RFC 2616 to store potentially sensitive information. Administrators are encouraged to verify that private resources operating over HTTP or HTTPs set appropriate caching control headers.

Impact

Sensitive information that is viewed during an Outlook Web Access session may be stored to disk.

Solution

We are unware of a solution for this problem.

Clear browser caches

Clearing browser caches frequently may mitigate this vulnerability by deleting data that was inadvertantly cached.

    • In Internet Explorer 7, click on Tools, Internet Options, Delete (under the Browsing history section), then Delete all.
    • For Firefox 2 and 3 see the Firefox Options window support page for information on how to automatically remove cached browser files.
    • In Safari 3.0, click Safari then Reset Safari.
    • In recent of versions of Opera, go to Tools, Preferences, Advanced, History and set the cache to Empty on exit.
    • For recent versions of the Konqueror browser, use the KControl module called Cache, then click on the Clear cache button.
Administrators should also considering securely erasing deleting browser caches before re-deploying or disposing of hard drives.

Vendor Information

829876
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  March 06, 2008 Updated:  March 31, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Bill Knox from MITRE reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 0.11
Date Public: 2008-05-09
Date First Published: 2008-05-09
Date Last Updated: 2009-12-28 18:48 UTC
Document Revision: 28

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.