WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Outlook Express MHTML Forced File Execution Vulnerability

Risk
High

Date Discovered
11-25-2003

Description
A vulnerability has been discovered in Outlook Express when handling MHTML file and res URIs that could lead to an unexpected file being downloaded and executed. The problem occurs due to the component failing to securely handle MHTML file URIs which references two files, the first of which points to a non-existant resource. The Outlook Express component is used by Microsoft Internet Explorer. As a result, a victim browser user may inadvertantely access a page designed to load an embedded object from a malicious location. This would effectively result in the execution of attacker-supplied code within the Local Zone. The vulnerability is present even if Microsoft Outlook has been removed as the default e-mail client.

**NOTE: According to Microsoft, Microsoft Internet Explorer on Windows Server 2003 is vulnerable despite its specialized configuration.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released April 13, 2004.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released April 13, 2004.

Symantec Enterprise Security Manager Network Assessment Module
Symantec Enterprise Security Manager Network Assessment Module detects and reports this vulnerability. Click here for the advisory released August 9, 2005.

Platforms Affected
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.0.1 for Windows 2000
Microsoft Internet Explorer 5.0.1 for Windows 95
Microsoft Internet Explorer 5.0.1 for Windows 98
Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
Microsoft Internet Explorer 5.5
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP4
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP6
Microsoft Windows NT 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home
Microsoft Windows XP Professional

Components Affected
Microsoft Internet Explorer 5.0
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server Japanese Edition
Microsoft Windows 2000 Terminal Services SP4
Microsoft Windows 2000 Terminal Services SP3
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Tablet PC Edition

Recommendations
Run all client software as a non-privileged user with minimal access rights.
Web browsing and other non-administrative tasks should always be performed as an unprivileged user with minimal access rights. This will limit the consequences of successful exploitation.

Do not follow links provided by unknown or untrusted sources.
This issue may be exploited via a malicious web page. Users should be cautious of visiting websites of questionable integrity, especially if they are enticed to do so through unsolicited e-mail or by an unfamiliar or untrusted source.

Set web browser security to disable the execution of script code or active content.
Using browser security settings to disable support for Active Scripting in the Internet Zone will limit exposure to this and other known issues in the browser security model.

Do not accept communications that originate from unknown or untrusted sources.
This vulnerability can be exploited through malicious e-mails or newsgroup posts. Avoid such usage on critical systems. Ensure that e-mail and news clients are run as a regular user account with minimal access to system resources. Apparent e-mail origin should not be trusted as it is trivial for attackers or malicious code to spoof the sending address.

Microsoft has released fixes:

http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx


Microsoft Internet Explorer 5.0:
Microsoft Internet Explorer 5.0.1 SP3:
Microsoft Internet Explorer 5.0.1 SP2:
Microsoft Internet Explorer 5.0.1 SP1:
Microsoft Internet Explorer 5.0.1:
Microsoft Internet Explorer 5.5 SP2:
Microsoft Internet Explorer 5.5 SP1:
Microsoft Internet Explorer 5.5:
Microsoft Internet Explorer 6.0 SP1:
Microsoft Internet Explorer 6.0:
Microsoft Outlook Express 5.5:
Microsoft Outlook Express 6.0:
Microsoft Windows 2000 Advanced Server SP4:
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP4:
Microsoft Windows 2000 Professional SP3:
Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP4:
Microsoft Windows 2000 Server SP3:
Microsoft Windows 2000 Server SP2:
Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows 2000 Server Japanese Edition :
Microsoft Windows 2000 Terminal Services SP4:
Microsoft Windows 2000 Terminal Services SP3:
Microsoft Windows 2000 Terminal Services SP2:
Microsoft Windows 2000 Terminal Services SP1:
Microsoft Windows 2000 Terminal Services :
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Windows NT Enterprise Server 4.0 SP6:
Microsoft Windows NT Enterprise Server 4.0 SP5:
Microsoft Windows NT Enterprise Server 4.0 SP4:
Microsoft Windows NT Enterprise Server 4.0 SP3:
Microsoft Windows NT Enterprise Server 4.0 SP2:
Microsoft Windows NT Enterprise Server 4.0 SP1:
Microsoft Windows NT Enterprise Server 4.0:
Microsoft Windows NT Server 4.0 SP6a:
Microsoft Windows NT Server 4.0 SP6:
Microsoft Windows NT Server 4.0 SP5:
Microsoft Windows NT Server 4.0 SP4:
Microsoft Windows NT Server 4.0 SP3:
Microsoft Windows NT Server 4.0 SP2:
Microsoft Windows NT Server 4.0 SP1:
Microsoft Windows NT Server 4.0:
Microsoft Windows NT Terminal Server 4.0 SP6:
Microsoft Windows NT Terminal Server 4.0 SP5:
Microsoft Windows NT Terminal Server 4.0 SP4:
Microsoft Windows NT Terminal Server 4.0 SP3:
Microsoft Windows NT Terminal Server 4.0 SP2:
Microsoft Windows NT Terminal Server 4.0 SP1:
Microsoft Windows NT Terminal Server 4.0 alpha:
Microsoft Windows NT Terminal Server 4.0:
Microsoft Windows NT Workstation 4.0 SP6a:
Microsoft Windows NT Workstation 4.0 SP6:
Microsoft Windows NT Workstation 4.0 SP5:
Microsoft Windows NT Workstation 4.0 SP4:
Microsoft Windows NT Workstation 4.0 SP3:
Microsoft Windows NT Workstation 4.0 SP2:
Microsoft Windows NT Workstation 4.0 SP1:
Microsoft Windows NT Workstation 4.0:
Microsoft Windows Server 2003 Datacenter Edition :
Microsoft Windows Server 2003 Datacenter Edition 64-bit :
Microsoft Windows Server 2003 Enterprise Edition :
Microsoft Windows Server 2003 Enterprise Edition 64-bit :
Microsoft Windows Server 2003 Standard Edition :
Microsoft Windows Server 2003 Web Edition :
Microsoft Windows XP 64-bit Edition Version 2003 SP1:
Microsoft Windows XP 64-bit Edition Version 2003 :
Microsoft Windows XP Home SP1:
Microsoft Windows XP Home :
Microsoft Windows XP Media Center Edition :
Microsoft Windows XP Professional SP1:
Microsoft Windows XP Professional :
Microsoft Windows XP Tablet PC Edition :

References
Source: Internet Explorer Vulnerability :: 1stCleanRc
URL: http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/index.html

Source: Microsoft Security Bulletin MS04-013
URL: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

Credits
The disclosure of this issue has been credited to Liu Die Yu liudieyuinchina@yahoo.com.cn.


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.