CVE-2004-2137

Vulnerability

Outlook Express 6.0 contains a confidentiality vulnerability in its multipart email handling. When the user enables the "Break apart messages larger than" setting, the BCC recipients of an email message are inadvertently included in the To or CC fields of the resulting message parts. This affects all versions of Outlook Express 6.0 with this setting active [1][2].

Exploitation

An attacker can exploit this issue by sending an email to the victim with the To/CC fields set to attacker-controlled addresses. The attacker must induce the victim to send a multipart email that exceeds the configured size threshold. No authentication is required beyond the victim composing a message; the vulnerability triggers automatically during split delivery. The attacker does not need network position beyond being a recipient in the To or CC [1][2].

Impact

Successful exploitation leads to unintended disclosure of the BCC recipient list to recipients in the To and CC fields. This exposes sensitive information about hidden recipients, potentially violating privacy or business confidentiality. The impact is limited to information disclosure; no code execution or privilege escalation is possible [1][2].

Mitigation

As of the available references, no patch or update is documented for this issue. Users are advised to disable the "Break apart messages larger than" setting in Outlook Express 6.0 to prevent the leakage. Alternatively, use a different email client that does not exhibit this behavior [1][2].