Microsoft Outlook 2003 predictable file location could allow code execution
| outlook-file-location-predictable (16104) |  Medium Risk |
Description:
Microsoft Outlook could allow a remote attacker to execute arbitrary code on the system. A remote attacker could send a specially-crafted email containing malicious code embedded in an HTML file, which would be saved to the victim's Temp directory, once the victim replies to the email. An attacker could exploit this vulnerability by creating a malicious URL, pointing it to the malicious HTML file, and hosting it on a Web site or by sending it to a victim in an email.
Consequences:
Gain Access
Remedy:
No remedy available as of September 4, 2010.
References:
- Full-Disclosure Mailing List, Sun May 09 2004 - 18:31:08 CDT: OUTLOOK 2003: OuchLook.
- BID-10307: Microsoft Outlook 2003 Predictable File Location Weakness
- BID-9709: Multiple Outlook/Outlook Express Predictable File Location Weaknesses
- CVE-2004-0502: Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the src of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI.
- SA11572: Microsoft Outlook Predictable File Location Weakness
Platforms Affected:
- Microsoft Outlook 2003
Reported:
May 09, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net