• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Outlook Express MHTML Redirection Local File Parsing Vulnerability

A vulnerability has been reported in Microsoft Outlook Express that may allow an attacker to parse local files on a system. The vulnerable component is part of Microsoft Outlook Express but is also used by Microsoft Internet Explorer.

The issue is reported to present itself if the resource specified in the Mhtml_File_Uri cannot be found, the browser will attempt to retrieve the resource specified in the Original_Resource_Uri. Due to insufficient security checks when accessing the Original_Resource_Uri, it is possible to use this to redirect the browser to a local resource.

According to Microsoft, Microsoft Internet Explorer on Windows Server 2003 is prone to attacks despite its specialized configuration.

Microsoft Windows platforms running Microsoft Outlook Express 5.5SP2, 6.0, and 6.0SP1 are reported by the vendor to be affected though the issue may also be present in earlier versions of Microsoft Outlook Express.