Microsoft Outlook 2000 URL spoofing (Email_Outlook_URL_Spoof)

About this signature or vulnerability

Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects emails containing specially crafted URLs which may be used to falsify URL links in email, making them appear to link to different sites than are displayed to the user in the email. This could be an attempt to trick users into clicking on malicious or inappropriate links.


False positives

Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: It is possible, though fairly unlikely that a valid URL could contain an encoding similar enough to a malicious attack attempt to be detected as an attack. This is however very unlikely.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 22.25, Proventia-G 1.1 and earlier: XPU 22.25, Proventia Network MFS: XPU 1.23, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 22.25, RealSecure Server Sensor: XPU 22.25, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 2000, Microsoft Outlook: 2000

Type

Suspicious Activity

Vulnerability description

Microsoft Outlook could allow a remote attacker to spoof a trusted Web page by altering the URL that is displayed in an email. A remote attacker could send a specially-crafted email containing a URL link to a legitimate Web site followed by an asterisk ( * ) and a URL link to a malicious site, which would cause only the URL prior to the asterisk to be displayed. The victim would be redirected to the malicious Web site, once the link is clicked. An attacker could use this vulnerability to trick unsuspecting users to visit a malicious Web site.

How to remove this vulnerability

No remedy available as of July 9, 2011.

References

BugTraq Mailing List, Tue May 11 2004 - 08:48:03 CDT
Hiding URLs from Outlook and other mail clients
http://archives.neohapsis.com/archives/bugtraq/2004-05/0094.html

ISS X-Force
Microsoft Outlook 2000 URL spoofing
http://www.iss.net/security_center/static/16119.php