Microsoft Outlook Express MHTML URL allows execution of code
| outlook-mhtml-execute-code (15705) |  High Risk |
Description:
Microsoft Outlook Express versions 5.5, 6.0, 6.0SP1, and 6.0 on Windows Server 2003 could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability when parsing MHTML files. MHTML is the defining standard for MIME (Multipurpose Internet Mail Extensions) structures used to send HTML content in the body of email messages. A remote attacker could create a specially-crafted MHTML URL containing a reference to a local file that does not exist, which would allow the attacker to execute arbitrary code in the Local Machine zone of an affected system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email. After the victim has visited the malicious Web page or viewed the email, the attacker could gain unauthorized access to files and execute arbitrary code on the victim's system with the user's privileges.
Platforms Affected:
- Microsoft, Outlook Express 5.0
- Microsoft, Outlook Express 6.0
- Microsoft, Outlook Express 6.0 SP1
- Microsoft, Windows 2003 Server
Remedy:
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Sun Mar 28 2004 - 01:03:07 CST, IE ms-its: and mk:@MSITStore: vulnerability at http://archives.neohapsis.com/archives/bugtraq/2004-03/0308.html.
- BugTraq Mailing List, Wed Feb 18 2004 - 19:02:45 CST, Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658) at http://archives.neohapsis.com/archives/bugtraq/2004-02/0518.html.
- CIAC Information Bulletin O-116, Microsoft Cumulative Security Update for Outlook Express at http://www.ciac.org/ciac/bulletins/o-116.shtml.
- Internet Security Systems Security Alert, April 13, 2004, Multiple Vulnerabilities in Microsoft Products at http://xforce.iss.net/xforce/alerts/id/169.
- Microsoft Security Bulletin MS04-013, Cumulative Security Update for Outlook Express (837009) at http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx.
- Microsoft Security Bulletin MS04-018, Cumulative Security Update for Outlook Express (823353) at http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx.
- Microsoft Security Bulletin MS06-016, Cumulative Security Update for Outlook Express (911567) at http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx.
- Microsoft Security Bulletin MS06-076, Cumulative Security Update for Outlook Express (923694) at http://www.microsoft.com/technet/security/Bulletin/MS06-076.mspx.
- Microsoft Security Bulletin MS07-034, Cumulative Security Update for Outlook Express and Windows Mail (929123) at http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx.
- Microsoft Security Bulletin MS07-056, Security Update for Outlook Express and Windows Mail (941202) at http://www.microsoft.com/technet/security/Bulletin/ms07-056.mspx.
- Microsoft Security Bulletin MS08-048, Security Update for Outlook Express and Windows Mail (951066) at http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx.
- US-CERT Technical Cyber Security Alert TA04-099A, Vulnerability in Internet Explorer ITS Protocol Handler at http://www.us-cert.gov/cas/techalerts/TA04-099A.html.
- BID-9105: Microsoft Outlook Express MHTML Forced File Execution Vulnerability
- BID-9658: Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability
- CVE-2004-0380: The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the MHTML URL Processing Vulnerability.
- SA10523: Internet Explorer showHelp() Restriction Bypass Vulnerability
- US-CERT VU#323070: Outlook Express MHTML protocol handler does not properly validate source of alternate content
Reported:
Apr 13, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net