Overview
A vulnerability in the way that Microsoft Outlook handles a certain type of hyperlink could allow a remote attacker to execute arbitrary code on the vulnerable system.
Description
Microsoft Outlook provides a centralized application for managing and organizing e-mail messages, schedules, tasks, notes, contacts, and other information. Outlook is included as a component of newer versions of Microsoft Office and available as a stand-alone product. Outlook exposes a vulnerability due to inadequate checking of parameters passed to the Outlook email client. The vulnerability is caused due to the manner in which Outlook interprest a mailto: URI. By creating a specially formatted mailto: URI, an attacker may be able to alter the way that Outlook is invoked in order to allow code execution. The malicious code could be delivered to the victim via a specially-crafted HTML email message or from a webpage controlled by the attacker. |
Impact
Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code. Upon successful exploitation, the malicious code would be executed in the context of the "Local Machine" under the user running Outlook. |
Solution
Apply Update |
Workaround
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Microsoft acknowledges Greg MacManus of iDefense Labs for reporting this vulnerability.
This document was written by Joseph W. Pruszynski.
Other Information
| CVE IDs: | CVE-2008-0110 |
| Severity Metric: | 26.33 |
| Date Public: | 2008-03-11 |
| Date First Published: | 2008-03-11 |
| Date Last Updated: | 2008-04-01 19:34 UTC |
| Document Revision: | 27 |