Microsoft Outlook Express MHTML Forced File Execution Vulnerability

A vulnerability has been discovered in Microsoft Outlook Express when handling MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.

The problem occurs due to the component failing to securely handle MHTML file URIs that reference a non-existent resource. The affected Outlook Express component is used by Microsoft Internet Explorer. As a result, a victim browser user may inadvertently access a page designed to load an embedded object from a malicious location. This would effectively result in the execution of attacker-supplied code within the Local Zone. The vulnerability is present even if Microsoft Outlook has been removed as the default email client.

According to Microsoft, Microsoft Internet Explorer on Windows Server 2003 is prone to attacks despite its specialized configuration.

Microsoft Windows platforms running Microsoft Outlook Express 5.5SP2, 6.0, and 6.0SP1 are reported by the vendor to be affected though the issue may also be present in earlier versions of Microsoft Outlook Express.


 

Privacy Statement
Copyright 2010, SecurityFocus