Outlook 2002 Vulnerability

Chris Trudeau chris at TRUDEAU.ORG
Wed Mar 10 20:16:02 GMT 2004 

Julian et. al.

There was a new bug that was patched by Microsoft in a release yesterday.  It will (from past experience) be a good long while before this is rolled out.  Since there has been some work done here in the past on routines (codebase, iframe etc.) that were designed to alleviate certain threats to those who use the outlook and outlook express packages, can we expect to see soemthing to protect against this one. 

It appears that it can be either sent to a browser via a web-page OR an email message...I know we can only help against one...and not the other...but any help is ofter perceived as good!  :)

Here is the information posted from another list, does it include everything needed to build a module to detect/handle the vulnerability?

CT


OVERVIEW
========

Microsoft Outlook contains a vulnerability which allows execution of 
arbitrary code when a victim user views a web page or an e-mail message 
created by an attacker.



DETAILS
=======

During Outlook installation, a mailto: URL handler is registered to the 
system. When a mailto: URL is opened, the system starts OUTLOOK.EXE 
with the following arguments:

  OUTLOOK.EXE -c IPM.Note /m "mailto:email at address"

If the URL contains a quote symbol, additional command line arguments
can be injected to OUTLOOK.EXE. The program recognizes several command
line switches. Also a startup URL to be opened by Outlook can be 
supplied on command line. This URL can be a javascript: URL, and if the 
"Outlook today" page is the current view in Outlook, the JavaScript 
code will be executed in the "Local machine" zone. This allows an 
attacker to e.g. download and start a desired EXE program.

A web page or e-mail message exploiting this flaw may contain for 
instance an IMG tag to refer to a mailto: URL. The victim user need not 
click on a link.

If the "Outlook today" view isn't the default view in Outlook, the 
attacker can still carry out the attack by using two mailto: URLs; The 
information in the mitigating factors section of Microsoft's bulletin 
regarding this is inaccurate. The first mailto: URL would start 
OUTLOOK.EXE and cause it to show the "Outlook today" view, and the 
second one would supply the offending JavaScript code. This scenario 
was verified by an exploit.

The issue is not a standard "cross site scripting" vulnerability, but a 
different kind of injection attack. The exploit can inject command line 
switches and arguments to OUTLOOK.EXE because quote symbols in the URL 
aren't escaped or otherwise processed. This can be considered a new 
vulnerability category, and further investigation has shown that 
similar attacks can be carried out against other software which register 
a URL handler.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040310/73851d04/attachment.html

More information about the MailScanner mailing list