<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Julian et. al.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>There was a new bug that was patched by Microsoft
in a release yesterday. It will (from past experience) be a good long
while before this is rolled out. Since there has been some work done here
in the past on routines (codebase, iframe etc.) that were designed to alleviate
certain threats to those who use the outlook and outlook express packages, can
we expect to see soemthing to protect against this one. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It appears that it can be either sent to a browser
via a web-page OR an email message...I know we can only help against one...and
not the other...but any help is ofter perceived as good! :)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is the information posted from another list,
does it include everything needed to build a module to detect/handle the
vulnerability?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>CT</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>OVERVIEW<BR>========<BR><BR>Microsoft Outlook contains a vulnerability
which allows execution of <BR>arbitrary code when a victim user views a web page
or an e-mail message <BR>created by an
attacker.<BR><BR><BR><BR>DETAILS<BR>=======<BR><BR>During Outlook installation,
a mailto: URL handler is registered to the <BR>system. When a mailto: URL is
opened, the system starts OUTLOOK.EXE <BR>with the following
arguments:<BR><BR> OUTLOOK.EXE -c IPM.Note /m "<A
href="mailto:email@address">mailto:email@address</A>"<BR><BR>If the URL contains
a quote symbol, additional command line arguments<BR>can be injected to
OUTLOOK.EXE. The program recognizes several command<BR>line switches. Also a
startup URL to be opened by Outlook can be <BR>supplied on command line. This
URL can be a javascript: URL, and if the <BR>"Outlook today" page is the current
view in Outlook, the JavaScript <BR>code will be executed in the "Local machine"
zone. This allows an <BR>attacker to e.g. download and start a desired EXE
program.<BR><BR>A web page or e-mail message exploiting this flaw may contain
for <BR>instance an IMG tag to refer to a mailto: URL. The victim user need not
<BR>click on a link.<BR><BR>If the "Outlook today" view isn't the default view
in Outlook, the <BR>attacker can still carry out the attack by using two mailto:
URLs; The <BR>information in the mitigating factors section of Microsoft's
bulletin <BR>regarding this is inaccurate. The first mailto: URL would start
<BR>OUTLOOK.EXE and cause it to show the "Outlook today" view, and the
<BR>second one would supply the offending JavaScript code. This scenario <BR>was
verified by an exploit.<BR><BR>The issue is not a standard "cross site
scripting" vulnerability, but a <BR>different kind of injection attack. The
exploit can inject command line <BR>switches and arguments to OUTLOOK.EXE
because quote symbols in the URL <BR>aren't escaped or otherwise processed. This
can be considered a new <BR>vulnerability category, and further investigation
has shown that <BR>similar attacks can be carried out against other software
which register <BR>a URL handler.<BR></DIV></BODY></HTML>