Microsoft Outlook 2003 OLE object bypass restricted security zone
| outlook-ole-restriction-bypass (16173) |  Medium Risk |
Description:
Microsoft Outlook could allow a remote attacker to bypass the restricted security zone setting and possibly cause a malicious file to be downloaded to the system. By sending a specially-crafted Rich Text Format (RTF) email containing an OLE Object that references a media file, a remote attacker could cause the file to be opened outside of the restricted zone and downloaded to the system, once the victim accepts the prompt to download the file.
Consequences:
Bypass Security
Remedy:
No remedy available as of July 9, 2011.
References:
- BugTraq Mailing List, Mon May 17 2004 - 16:29:11 CDT: ROCKET SCIENCE: Outllook 2003.
- BID-10369: Microsoft Outlook 2003 Media File Script Execution Vulnerability
- CVE-2004-0503: Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502.
- OSVDB ID: 6217: Microsoft Outlook RTF Embedded Object Security Bypass
- SA11629: Microsoft Outlook RTF Embedded OLE Object Security Bypass
Platforms Affected:
- Microsoft Outlook 2003
Reported:
May 17, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net