Microsoft Outlook MS04-009 patch is not installed
| outlook-ms04009-patch (15429) |  High Risk |
Description:
The patch specified in Microsoft Security Bulletin MS04-009 is not installed, which could allow a remote attacker to execute arbitrary code on a system.
Microsoft Outlook 2002 could allow a remote attacker to execute arbitrary code on the system. Systems that have the Outlook Today home page configured as the default homepage and Outlook 2002 as the default mail reader, both of which are configured by default, are vulnerable. A remote attacker could create a specially-crafted mailto URL, which would allow the attacker to execute arbitrary code in the Local Machine zone of an affected system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email. After the victim has visited the malicious Web page or viewed the email, the attacker could gain unauthorized access to files and execute arbitrary code on the victim's system with the user's privileges.
Consequences:
Gain Access
Remedy:
Apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-009. See References.
References:
- BugTraq Mailing List, Wed Mar 10 2004 - 06:35:05 CST: Outlook mailto: URL argument injection vulnerability.
- CIAC Information Bulletin O-096: Microsoft Outlook Could Allow Unauthorized Code Execution.
- IBM Internet Security Systems X-Force Database: Microsoft Outlook 2002 mailto URL allows execution of code.
- iDEFENSE Security Advisory 03.09.04:: Microsoft Outlook "mailto:" Parameter Passing Vulnerability.
- Microsoft Security Bulletin MS04-009: Vulnerability in Microsoft Outlook Could Allow Code Execution (828040).
- BID-9827: Microsoft Outlook Mailto Parameter Quoting Zone Bypass Vulnerability
- CVE-2004-0121: Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.
Platforms Affected:
- Microsoft Office XP SP2
- Microsoft Outlook 2002 SP2
Reported:
Not available
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net