HighProventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects a malicious web page with a 'mailto:' URI that could allow the execution of code.
High
Proventia Network MFS: XPU 1.41, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia-G 1.1 and earlier: XPU 24.2, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 24.2, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, RealSecure Network: XPU 24.2, RealSecure Server Sensor: XPU 24.2, RealSecure Desktop Protector 3.6: eoa, RealSecure Desktop: eoa, Proventia Network IPS: XPU 1.42, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0
Microsoft Outlook: 2002, Microsoft Office: XP SP2
Unauthorized Access Attempt
Microsoft Outlook 2002 could allow a remote attacker to execute arbitrary code on the system. Systems that have the Outlook Today home page configured as the default homepage and Outlook 2002 as the default mail reader, both of which are configured by default, are vulnerable. A remote attacker could create a specially-crafted mailto URL, which would allow the attacker to execute arbitrary code in the Local Machine zone of an affected system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email. After the victim has visited the malicious Web page or viewed the email, the attacker could gain unauthorized access to files and execute arbitrary code on the victim's system with the user's privileges.
Apply the appropriate patch for your system, as listed in the Microsoft Security BulletinMS04-009. See References.
Microsoft Security Bulletin MS04-009
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
iDEFENSE Security Advisory 03.09.04:
Microsoft Outlook "mailto:" Parameter Passing Vulnerability
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities&flashstatus=true
CERT Vulnerability Note VU#305206
Microsoft Outlook fails to properly filter parameters passed via "mailto:" URL
http://www.kb.cert.org/vuls/id/305206
BugTraq Mailing List, Wed Mar 10 2004 - 06:35:05 CST
Outlook mailto: URL argument injection vulnerability
http://archives.neohapsis.com/archives/bugtraq/2004-03/0086.html
CIAC Information Bulletin O-096
Microsoft Outlook Could Allow Unauthorized Code Execution
http://www.ciac.org/ciac/bulletins/o-096.shtml
ISS X-Force
Microsoft Outlook 2002 mailto URL allows execution of code
http://www.iss.net/security_center/static/15414.php
CVE
CVE-2004-0121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121