HighRealSecure Desktop, BlackICE PC Protection, BlackICE Agent for Server, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Server Sensor, RealSecure Network, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:
This signature detects a malicious web page with a 'mailto:' URI that could allow the execution of code.
High
RealSecure Desktop: eoa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, RealSecure Server Sensor: XPU 24.2, RealSecure Network: XPU 24.2, Proventia Desktop: 8.0.614.1, Proventia Network IPS: XPU 1.42, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: eoa, Proventia Network IDS: XPU 24.2, Proventia-G 1.1 and earlier: XPU 24.2, Proventia Network MFS: XPU 1.41
Microsoft Outlook: 2002, Microsoft Office: XP SP2
Unauthorized Access Attempt
Microsoft Outlook 2002 could allow a remote attacker to execute arbitrary code on the system. Systems that have the Outlook Today home page configured as the default homepage and Outlook 2002 as the default mail reader, both of which are configured by default, are vulnerable. A remote attacker could create a specially-crafted mailto URL, which would allow the attacker to execute arbitrary code in the Local Machine zone of an affected system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email. After the victim has visited the malicious Web page or viewed the email, the attacker could gain unauthorized access to files and execute arbitrary code on the victim's system with the user's privileges.
Apply the appropriate patch for your system, as listed in the Microsoft Security BulletinMS04-009. See References.
Microsoft Security Bulletin MS04-009
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
iDEFENSE Security Advisory 03.09.04:
Microsoft Outlook "mailto:" Parameter Passing Vulnerability
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities&flashstatus=true
CERT Vulnerability Note VU#305206
Microsoft Outlook fails to properly filter parameters passed via "mailto:" URL
http://www.kb.cert.org/vuls/id/305206
BugTraq Mailing List, Wed Mar 10 2004 - 06:35:05 CST
Outlook mailto: URL argument injection vulnerability
http://archives.neohapsis.com/archives/bugtraq/2004-03/0086.html
CIAC Information Bulletin O-096
Microsoft Outlook Could Allow Unauthorized Code Execution
http://www.ciac.org/ciac/bulletins/o-096.shtml
ISS X-Force
Microsoft Outlook 2002 mailto URL allows execution of code
http://www.iss.net/security_center/static/15414.php
CVE
CVE-2004-0121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121