Microsoft Outlook 2000 URL spoofing (Email_Outlook_URL_Spoof)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor:

This signature detects emails containing specially crafted URLs which may be used to falsify URL links in email, making them appear to link to different sites than are displayed to the user in the email. This could be an attempt to trick users into clicking on malicious or inappropriate links.


False positives

Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor: It is possible, though fairly unlikely that a valid URL could contain an encoding similar enough to a malicious attack attempt to be detected as an attack. This is however very unlikely.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network MFS: XPU 1.23, Proventia-G 1.1 and earlier: XPU 22.25, Proventia Network IDS: XPU 22.25, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, RealSecure Network: XPU 22.25, RealSecure Server Sensor: XPU 22.25, RealSecure Desktop: baseline

Systems affected

Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 2000, Microsoft Outlook: 2000

Type

Suspicious Activity

Vulnerability description

Microsoft Outlook could allow a remote attacker to spoof a trusted Web page by altering the URL that is displayed in an email. A remote attacker could send a specially-crafted email containing a URL link to a legitimate Web site followed by an asterisk ( * ) and a URL link to a malicious site, which would cause only the URL prior to the asterisk to be displayed. The victim would be redirected to the malicious Web site, once the link is clicked. An attacker could use this vulnerability to trick unsuspecting users to visit a malicious Web site.

How to remove this vulnerability

No remedy available as of June 6, 2009.

References

BugTraq Mailing List, Tue May 11 2004 - 08:48:03 CDT
Hiding URLs from Outlook and other mail clients
http://archives.neohapsis.com/archives/bugtraq/2004-05/0094.html

ISS X-Force
Microsoft Outlook 2000 URL spoofing
http://www.iss.net/security_center/static/16119.php