Microsoft Outlook 2000 URL spoofing (Email_Outlook_URL_Spoof)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor:

This signature detects emails containing specially crafted URLs which may be used to falsify URL links in email, making them appear to link to different sites than are displayed to the user in the email. This could be an attempt to trick users into clicking on malicious or inappropriate links.

This signature detects emails containing specially-crafted URLs which may be used to falsify URL links in email, making them appear to link to different sites than are displayed to the user in the email. This could be an attempt to trick users into clicking on malicious or inappropriate links.


False positives

Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor: It is possible, though fairly unlikely that a valid URL could contain an encoding similar enough to a malicious attack attempt to be detected as an attack. This is however very unlikely.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Proventia-G 1.1 and earlier: XPU 22.25, Proventia Network MFS: XPU 1.23, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 22.25, RealSecure Server Sensor: XPU 22.25

Systems affected

Microsoft Outlook: 2000, Microsoft Windows 2000, Microsoft Windows 95, Microsoft Windows 98

Type

Suspicious Activity

Vulnerability description

Microsoft Outlook could allow a remote attacker to spoof a trusted Web page by altering the URL that is displayed in an email. A remote attacker could send a specially-crafted email containing a URL link to a legitimate Web site followed by an asterisk ( * ) and a URL link to a malicious site, which would cause only the URL prior to the asterisk to be displayed. The victim would be redirected to the malicious Web site, once the link is clicked. An attacker could use this vulnerability to trick unsuspecting users to visit a malicious Web site.

How to remove this vulnerability

No remedy available as of October 11, 2008.

References

BugTraq Mailing List, Tue May 11 2004 - 08:48:03 CDT
Hiding URLs from Outlook and other mail clients
http://archives.neohapsis.com/archives/bugtraq/2004-05/0094.html

ISS X-Force
Microsoft Outlook 2000 URL spoofing
http://www.iss.net/security_center/static/16119.php