Title

Set Control Item property prompt for data, to automatically deny. (Cat II impact)

Discussion

When a control on a custom Outlook 2007 form is bound directly to any of the Address Information fields, the form code can indirectly retrieve the value of the Address Information field by obtaining the Value property of the control. If the custom form was created by a malicious or inexperienced user, sensitive information could be exposed to unauthorized parties. By default, Outlook prompts users when they bind a control to an Address Information field.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value PromptOOMItemPropertyAccess is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”.

Additional Identifiers

Rule ID: SV-19028r1_rule

Vulnerability ID: V-17801

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.