SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook 'mailto' URL Parsing Bug Lets Remote Users Execute Arbitrary Code in the Local Computer Domain
SecurityTracker Alert ID:  1009357
SecurityTracker URL:  http://securitytracker.com/id/1009357
CVE Reference:   CVE-2004-0121   (Links to External Site)
Updated:  Mar 11 2004
Original Entry Date:  Mar 9 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Microsoft Outlook 2002
Description:   A vulnerability was reported in Microsoft Outlook 2002 in the processing of certain 'mailto' URLs. A remote user can execute arbitrary scripting code in the Local Computer security zone. Microsoft Office XP is also affected.

It is reported that a remote user can create a specially crafted 'mailto' URL that, when loaded by the target user, will cause arbitrary code to be executed on the target user's system. The code will run with the privileges of the target user in the Local Machine Zone.

Microsoft has assigned a 'Critical' severity rating to this flaw.

Microsoft credits iDefense and Jouko Pynn nen for reporting this vulnerability.

Impact:   A remote user can create a URL that, when loaded by the target user, will cause scripting code to be executed on the target user's system. The scripting code will run in the Local Computer zone with the privileges of the target user.
Solution:   Microsoft has issued the following fix:

Microsoft Outlook 2002 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

No restart is required after applying this patch, the report said.

Some workarounds are described in the vendor's security bulletin, available at:

http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-009.mspx (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  MS04-009


www.microsoft.com/technet/security/bulletin/ms04-009.mspx

Microsoft Security Bulletin MS04-009

Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)

Issued: March 9, 2004


Maximum Severity Rating:  Important

CVE: CAN-2004-0121


The vendor reports that Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft 
Office 2003, Microsoft Outlook 2000 SP3, Microsoft Outlook 2002 SP3, and Microsoft Outlook 
2003 are not affected.

A vulnerability was reported in Microsoft Outlook 2002 in the processing of certain 
'mailto' URLs.  A remote user can execute arbitrary scripting code in the Local Computer 
security zone.

It is reported that a remote user can create a specially crafted 'mailto' URL that, when 
loaded by the target user, will cause arbitrary code to be executed on the target user's 
system.  The code will run with the privileges of the target user in the Local Machine Zone.



Microsoft has issued the following fixes:

Microsoft Office XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

Microsoft Outlook 2002 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

No restart is required after applying this patch, the report said.

Some workarounds are described in the vendor's security bulletin, available at:

http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC