MHTML Arbitrary Code Execution in Microsoft Outlook Express

Reported April 23, 2003, by Microsoft.

 

 

VERSIONS AFFECTED

 

·         Microsoft Outlook Express 6.0 and 5.5

 

DESCRIPTION

 

A vulnerability in Microsoft Outlook Express 6.0 and 5.5 can result in the execution of arbitrary code on the vulnerable system. This vulnerability is a result of flaw in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To exploit this vulnerability, an attacker can construct a URL and either host it on a Web site or send it by email. In the Web-based scenario, when a user clicks the site-hosted URL, the attacker can then read or launch files already present on the local machine.

 

VENDOR RESPONSE

Microsoft has released Security Bulletin MS03-014, "Cumulative Patch for Outlook Express (330994)," to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.

 

CREDIT                                                                                                       

Discovered by Microsoft.