Microsoft Outlook VML information disclosure
| outlook-vml-obtain-information (16116) |  Medium Risk |
Description:
Microsoft Outlook could allow a remote attacker to obtain information, caused by a vulnerability in the Vector Markup Language (VML) implementation. A remote attacker could send a specially-crafted HTML email that will send a response back to a remote server that the email has been read, once the email is viewed, even if the victim's Outlook is configured to restrict this functionality.
Consequences:
Obtain Information
Remedy:
No remedy available as of September 4, 2010.
References:
- BugTraq Mailing List, Tue May 11 2004 - 10:41:38 CDT: PING: Outlook 2003 Spam.
- BID-10323: Microsoft Outlook Mail Client E-mail Address Verification Weakness
- CVE-2004-0501: Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information.
Platforms Affected:
- Microsoft Outlook 2003
Reported:
May 11, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net