Microsoft Outlook 2002 mailto URL allows execution of code (HTML_Outlook_MailTo_Code_Execution)

About this signature or vulnerability

Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server:

This signature detects a malicious web page with a 'mailto:' URI that could allow the execution of code.

Default risk level

High risk vulnerability High

Sensors that have this signature

Proventia Network MFS: XPU 1.41, Proventia-G 1.1 and earlier: XPU 24.2, Proventia Network IPS: XPU 1.42, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, RealSecure Network: XPU 24.2, RealSecure Server Sensor: XPU 24.2, BlackICE Agent for Server: 3.6eof

Systems affected

Microsoft Outlook: 2002, Microsoft Office: XP SP2

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Outlook 2002 could allow a remote attacker to execute arbitrary code on the system. Systems that have the Outlook Today home page configured as the default homepage and Outlook 2002 as the default mail reader, both of which are configured by default, are vulnerable. A remote attacker could create a specially-crafted mailto URL, which would allow the attacker to execute arbitrary code in the Local Machine zone of an affected system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email. After the victim has visited the malicious Web page or viewed the email, the attacker could gain unauthorized access to files and execute arbitrary code on the victim's system with the user's privileges.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the Microsoft Security BulletinMS04-009. See References.

References

Microsoft Security Bulletin MS04-009
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

iDEFENSE Security Advisory 03.09.04:
Microsoft Outlook "mailto:" Parameter Passing Vulnerability
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities&flashstatus=true

CERT Vulnerability Note VU#305206
Microsoft Outlook fails to properly filter parameters passed via "mailto:" URL
http://www.kb.cert.org/vuls/id/305206

BugTraq Mailing List, Wed Mar 10 2004 - 06:35:05 CST
Outlook mailto: URL argument injection vulnerability
http://archives.neohapsis.com/archives/bugtraq/2004-03/0086.html

CIAC Information Bulletin O-096
Microsoft Outlook Could Allow Unauthorized Code Execution
http://www.ciac.org/ciac/bulletins/o-096.shtml

ISS X-Force
Microsoft Outlook 2002 mailto URL allows execution of code
http://www.iss.net/security_center/static/15414.php

CVE
CVE-2004-0121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121