WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft Outlook Mailto Parameter Quoting Zone Bypass Vulnerability

Risk
High

Date Discovered
03-09-2004

Description
Microsoft Outlook is prone to a vulnerability that may permit execution of arbitrary code on client systems. This issue is exposed through Outlook, but will reportedly cause Internet Explorer to load malicious content in the Local Zone.

This is related to how mailto URIs are handled by the software and may be exploited from a malicious web page or through HTML e-mail in situations where the Outlook Today page is the default folder home page in the client. This issue will permit a remote attacker to influence how Outlook invoked via mailto URIs, allowing for execution of malicious scripting in the Local Zone through an attacker-specified Outlook profile parameter.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released March 9, 2004.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released March 9, 2004.

Platforms Affected
Microsoft Office XP
Microsoft Office XP SP2
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 2000 Terminal Services SP3
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1

Components Affected
Microsoft Office XP SP2
Microsoft Office XP SP1
Microsoft Office XP
Microsoft Outlook 2002 SP2
Microsoft Outlook 2002 SP1
Microsoft Outlook 2002

Recommendations
Run all client software as a non-privileged user with minimal access rights.
Running client software as an unprivileged user with minimal access rights will reduce the impact of this and similar vulnerabilities.

Do not follow links provided by unknown or untrusted sources.
This issue could be exploited from a malicious web page. Users should be wary of visiting web pages of questionable integrity, especially if enticed to do so by an untrusted or unfamiliar source.

Do not accept communications that originate from unknown or untrusted sources.
This issue could be exploited via HTML e-mail in some circumstances. Support for HTML e-mail should be disabled in the client if not required. Users should also not open e-mails originating from an untrusted or unfamiliar source. Where possible, HTML may also be filtered from incoming mail.

Microsoft has released patches for Outlook 2002 and Office XP (which includes the vulnerable component).

This issue has also been addressed in Outlook 2002 SP3 and Office XP SP3. Users are advised to upgrade.


Microsoft Office XP SP2:

Microsoft Patch MS04-009 Office XP SP2 Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

Microsoft Office XP SP1:
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

Microsoft Office XP :
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

Microsoft Outlook 2002 SP2:
Microsoft Patch MS04-009 Outlook SP2 Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

Microsoft Outlook 2002 SP1:
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

Microsoft Outlook 2002 :
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

References
Source: Microsoft Outlook "mailto:" Parameter Passing Vulnerability
URL: http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities

Source: Microsoft Security Bulletin MS04-009
URL: http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

Credits
Discovery of this issue is credited to Jouko Pynnönen.


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.