|
|
|
|
| |
| Microsoft Outlook provides "an integrated solution for managing and organizing e-mail messages, schedules, tasks, notes, contacts, and other information". Remote exploitation of an input validation error in the handling of "mailto" URIs by Microsoft Corp.'s Outlook may allow arbitrary code execution. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=673
|
| |
Vulnerable Systems:
* Microsoft Outlook 2007 on Windows XP SP2
It is possible to construct a "mailto" URI which causes the web browser to pass extra command line switches to Outlook. These switches can modify Outlook's account configuration.
Analysis:
Exploitation of this vulnerability may allow an attacker to access sensitive information or take complete control of an affected system. In order to exploit this vulnerability, an attacker would have to convince a user to view an attacker-controlled website.
Workaround:
Disabling the "mailto" URI handler will prevent exploitation of this vulnerability. However, doing so will also disable e-mail links within all applications.
Vendor response:
Microsoft has addressed this vulnerability with Security Bulletin MS08-015. For more information, consult their bulletin at the following URL: http://www.microsoft.com/technet/security/Bulletin/ms08-015.mspx
CVE Information:
CVE-2008-0110
Disclosure Timeline:
07/03/2007 - Initial vendor notification
07/03/2007 - Initial vendor response
03/11/2008 - Coordinated public disclosure
|
|
|
|
|
|
|
|
|
|
