New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!
· Ian T's (AR 22)
· Marcia's (CO8)
· Bill G's (CO10)
· Paul's (AR 5)
· Robin's (AR 2)
· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?
$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 856
Comments: 19
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
image microsoft: Vulnerabilities: Microsoft Outlook mailto URL Handling Vulnerability image
Microsoft

Microsoft Outlook mailto URL Handling Vulnerability

"Outlook 2002 exposes a vulnerability due to inadequate checking of parameters passed to the Outlook email client. The vulnerability is caused by the way a "mailto:" URL is interpreted. An attacker creating specially formatted "mailto:" URLs can cause Outlook to run privileged script, ultimately leading to the execution of arbitrary code. The malicious code could be delivered to the victim via a specially crafted HTML email message or from an intruder-controlled web page. ..."

Original issue date: March 10, 2004

Source: US-CERT

Systems Affected

  • Microsoft Office XP (up to Service Pack 2)
  • Microsoft Outlook 2002 (up to Service Pack 2)

Overview

A vulnerability in the way that Microsoft Outlook 2002 handles a certain type of URL could allow a remote attacker to execute arbitrary code on the vulnerable system.

I. Description



Microsoft Outlook provides a centralized application for managing and organizing email messages, schedules, tasks, notes, contacts, and other information. Outlook is included as a component of newer versions of Microsoft Office and available as a stand-alone product.

Outlook 2002 exposes a vulnerability due to inadequate checking of parameters passed to the Outlook email client. The vulnerability is caused by the way a "mailto:" URL is interpreted. An attacker creating specially formatted "mailto:" URLs can cause Outlook to run privileged script, ultimately leading to the execution of arbitrary code. The malicious code could be delivered to the victim via a specially crafted HTML email message or from an intruder-controlled web page.

Microsoft originally stated that users were only at risk from this vulnerability when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page. Subsequent information has been published that indicates that this is not true and users in other situations are vulnerable via a slightly different attack vector.

II. Impact



An attacker could execute arbitrary code of their choosing on the system running the vulnerable version of Outlook. Upon successful exploitation, the malicious code would be executed in the context of the "Local Machine" Internet Explorer zone under the user running Outlook.

III. Solution

Apply a patch



Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-009.

Workarounds



Microsoft recommends the following workarounds for users who are unable to apply the patches:
  • Do not use the "Outlook Today" folder home page in Outlook 2002
    You can help protect against this vulnerability by turning off the "Outlook today" folder home page in Outlook 2002.
    1. In the "Folder List" window of Outlook, right-click on "Outlook Today" or "Mailbox - [User Name]"
    2. Select Properties for "Outlook Today" or "Mailbox - [User Name]"
    3. Select "Home Page" tab
    4. Uncheck "Show home page by default for this folder"
    5. Repeat for all other "Folder List" items labeled "Outlook Today" or "Mailbox - [User Name]"


    Impact of Workaround: The "Outlook Today" folder home page would no longer be available.
  • If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read email messages in plain text format to help protect yourself from the HTML email attack vector
    Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed email messages or non-encrypted email messages in plain text only. Digitally-signed email messages and encrypted email messages are not affected by the setting and may be read in their original formats.

    Instructions for enabling these settings can be found at the following locations:
    • Outlook 2002 - Microsoft Knowledge Base Article 307594
    • Outlook Express 6.0 - Microsoft Knowledge Base Article 291387


    Impact of Workaround: Email that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:
    • The changes are applied to the preview pane and to open messages.
    • Pictures become attachments to avoid loss of message content.
    • The object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store.

Appendix A. Vendor Information



This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.

Microsoft



Please see Microsoft Security Bulletin MS04-009.

Appendix B. References

  • US-CERT Vulnerability Note VU#305206 - <http://www.kb.cert.org/vuls/id/305206>
  • iDEFENSE Security Advisory 03.09.04 - <http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities>
  • IETF RFC2368, "The mailto URL scheme" - <http://www.ietf.org/rfc/rfc2368.txt>
  • Microsoft Security Bulletin MS04-009 - <http://microsoft.com/technet/security/bulletin/MS04-009.aspx>
  • Microsoft Knowledge Base Article 307594 - <http://support.microsoft.com/default.aspx?kbid=307594>
  • Microsoft Knowledge Base Article 291387 - <http://support.microsoft.com/default.aspx?kbid=291387>


This issue was jointly reported publicly by Microsoft Security and iDefense. They, in turn, credit Juoko Pyonen with the discovery and research of this vulnerability. Information from iDefense and Microsoft was used in this document.
Source:  US-Cert
Posted on Thursday, 11 March 2004 @ 07:18:00 EST by cj
image

 
Login
Nickname

Password
· New User? ·
Click here to create a registered account.
image
Related Links
· TrackBack (0)
· Microsoft
· HotScripts
· W3 Consortium
· HTML Standard
· Google Microsoft Search
· Microsoft
· Technet Online
· HotFix & Security Bulletins
· More about Microsoft
· News by cj
Most read story about Microsoft:
Internet Explorer file:// Request Zone Bypass Vulnerability

image
Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent

image
Options

Printer Friendly Page  Printer Friendly Page
image
"Login" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
Home · Topics · Submit News · Top 10
This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved.
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Acceptable Use Policy. Use signifies your agreement.
Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member.
Paul Laudanski, Member of Computer Cops, LLC
Server Load: 1132 pages served in previous 5 minutes. Page Generation: 0.323 seconds.