Re: Outlook mailto: URL argument injection vulnerability MS04-009 (Now CRITICAL) !

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <20040310123503.GC9654 () jouko iki fi>

> Date: Wed, 10 Mar 2004 14:35:05 +0200
> From: Jouko Pynnonen <jouko () iki fi>
> To: bugtraq () securityfocus com
> Subject: Outlook mailto: URL argument injection vulnerability

> [...]
> If the "Outlook today" view isn't the default view in Outlook, the 
> attacker can still carry out the attack by using two mailto: URLs; The 
> information in the mitigating factors section of Microsoft's bulletin 
> regarding this is inaccurate. The first mailto: URL would start 
> OUTLOOK.EXE and cause it to show the "Outlook today" view, and the 
> second one would supply the offending JavaScript code. This scenario 
> was verified by an exploit.

The Microsoft's advisory "Outlook 2002 mailto arbitrary code execution" was updated yesterday, the Maximum Severity 
Rating was upgraded from "Important" to "Critical".

V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new 
client update.

Best Regards.
Gilles Fabienni - Consultant Sécurité
Cellule Veille - K-OTik Security
http://www.k-otik.com