Alert: Microsoft Security Bulletin MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 03/10/04

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)"
    Date:         Tue, 9 Mar 2004 19:44:57 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Microsoft Security Bulletin MS04-009:
    Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)

    Bulletin URL:
    http://www.microsoft.com/technet/security/bulletin/MS04-009.mspx

    Summary:
     Version Number: V1.0
     Revision Date: 03-09-2004
     Impact of Vulnerability: Remote Code Execution
     Maximum Severity Rating: Important
     Patch(es) Replaced: None
     Caveats: None
     CVE Number(s): CAN-2004-0121

    Tested Software:
     Affected Software:
     * Microsoft Office XP Service Pack 2
    <http://www.ntbugtraq.com/link/MS04-009-0.asp>
     * Microsoft Outlook 2002 Service Pack 2
    <http://www.ntbugtraq.com/link/MS04-009-1.asp>

     Software Not Affected:
     * Microsoft Office 2000 Service Pack 3
     * Microsoft Office XP Service Pack 3
     * Microsoft Office 2003
     * Microsoft Outlook 2000 Service Pack 3
     * Microsoft Outlook 2002 Service Pack 3
     * Microsoft Outlook 2003

    Technical Description:

    A security vulnerability exists within Outlook 2002 that could allow
    Internet Explorer to execute script code in the Local Machine zone on an
    affected system. The parsing of specially crafted mailto URLs by Outlook
    2002 causes this vulnerability. To exploit this vulnerability, an
    attacker would have to host a malicious Web site that contained a Web
    page designed to exploit the vulnerability and then persuade a user to
    view the Web page.
    The attacker could also create an HTML e-mail message designed to
    exploit the vulnerability and persuade the user to view the HTML e-mail
    message. After the user has visited the malicious Web site or viewed the
    malicious HTML e-mail message an attacker who successfully exploited
    this vulnerability could access files on a user's system or run
    arbitrary code on a user's system. This code would run in the security
    context of the currently logged-on user. Outlook 2002 is available as a
    separate product and is also included as part of Office XP.

    This email is sent to NTBugtraq automagically as a service to my
    subscribers. (v3)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ: "Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)"

    Relevant Pages