Date discovered: 03-09-2004

Risk: High

Description

A vulnerability was discovered in Outlook 2002 which allows malicious attackers to execute arbitrary script code on unpatched machines. The code can be executed under the context of the "Local Machine" zone which allows attackers to run malicious applications and read sensitive information on the vulnerable machine. The malicious mailto: link can be included in HTML email as an image which allows the link to be launched without needing any user intervention - other than simply opening the email.

A malicious email source can contain an HTML source similar to that shown below:

<img src="mailto:expl&quote;malicious-code">

GFI MailSecurity Email Exploit Engine

GFI has issued an update to the GFI MailSecurity Email Exploit Engine on March 11, 2004 which catches attempts to exploit this vulnerability through email. GFI MailSecurity catches this exploit as "Outlook mailto code execution exploit MS04-009".

To make sure your MailSecurity Email Exploit Engine is up to date, please read the GFI article "Email exploit update settings".

Recommendations

It is recommended to install the Microsoft patches on the client machines. Microsoft has released the following patches to address this vulnerability:

Microsoft Office XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

Microsoft Outlook 2002 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

References

iDEFENSE: Microsoft Outlook "mailto:" Parameter Passing Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=79

Microsoft: Security Bulletin MS04-009
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

Outlook mailto: URL handling flaw allows code execution
http://jouko.iki.fi/adv/outlook.html

Credits

This vulnerability was reported to Microsoft by iDEFENSE and Jouko Pynnönen.