Microsoft Outlook Mailto Parameter Quoting Zone Bypass Vulnerability



Date Discovered

March 9, 2004


Microsoft Outlook is prone to a vulnerability that may permit execution of arbitrary code on client systems. This issue is exposed through Outlook, but will reportedly cause Internet Explorer to load malicious content in the Local Zone. This is related to how mailto URIs are handled by the software and may be exploited from a malicious web page or through HTML e-mail. This issue will permit a remote attacker to influence how Outlook invoked via mailto URIs, allowing for execution of malicious scripting in the Local Zone through an attacker-specified Outlook profile parameter. ** It was initially reported that exploitation of this issue will depend on the Outlook Today page being the default folder homepage. Additional details have been made available to indicate that in situations where this is not the default page, it is possible to use two mailto URIs to exploit the issue. The first URI would display the Outlook Today view and the second would include an embedded JavaScript URI.

Technologies Affected

  • Microsoft Office XP
  • Microsoft Office XP SP1
  • Microsoft Office XP SP2
  • Microsoft Outlook 2002
  • Microsoft Outlook 2002 SP1
  • Microsoft Outlook 2002 SP2


Run all software as a nonprivileged user with minimal access rights.
Running client software as an unprivileged user with minimal access rights will reduce the impact of this and similar vulnerabilities.

Do not follow links provided by unknown or untrusted sources.
This issue could be exploited from a malicious web page. Users should be wary of visiting web pages of questionable integrity, especially if enticed to do so by an untrusted or unfamiliar source.

Do not accept communications that originate from unknown or untrusted sources.
This issue could be exploited via HTML e-mail in some circumstances. Support for HTML e-mail should be disabled in the client if not required. Users should also not open e-mails originating from an untrusted or unfamiliar source. Where possible, HTML may also be filtered from incoming mail.

Microsoft has released a security bulletin (MS04-009) and patches for Outlook 2002 and Office XP (which includes the vulnerable component). This issue has also been addressed in Outlook 2002 SP3 and Office XP SP3. Users are advised to upgrade.



Discovery of this issue is credited to Jouko Pynnönen.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.