In-Reply-To: <20040310123503.GC9654 (at) jouko.iki (dot) fi [email concealed]>
>Date: Wed, 10 Mar 2004 14:35:05 +0200
>From: Jouko Pynnonen <jouko (at) iki (dot) fi [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Outlook mailto: URL argument injection vulnerability
> [...]
>If the "Outlook today" view isn't the default view in Outlook, the
>attacker can still carry out the attack by using two mailto: URLs; The
>information in the mitigating factors section of Microsoft's bulletin
>regarding this is inaccurate. The first mailto: URL would start
>OUTLOOK.EXE and cause it to show the "Outlook today" view, and the
>second one would supply the offending JavaScript code. This scenario
>was verified by an exploit.
>
The Microsoft's advisory "Outlook 2002 mailto arbitrary code execution" was updated yesterday, the Maximum Severity Rating was upgraded from "Important" to "Critical".
V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update.
>Date: Wed, 10 Mar 2004 14:35:05 +0200
>From: Jouko Pynnonen <jouko (at) iki (dot) fi [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Outlook mailto: URL argument injection vulnerability
> [...]
>If the "Outlook today" view isn't the default view in Outlook, the
>attacker can still carry out the attack by using two mailto: URLs; The
>information in the mitigating factors section of Microsoft's bulletin
>regarding this is inaccurate. The first mailto: URL would start
>OUTLOOK.EXE and cause it to show the "Outlook today" view, and the
>second one would supply the offending JavaScript code. This scenario
>was verified by an exploit.
>
The Microsoft's advisory "Outlook 2002 mailto arbitrary code execution" was updated yesterday, the Maximum Severity Rating was upgraded from "Important" to "Critical".
V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update.
Best Regards.
Gilles Fabienni - Consultant Sécurité
Cellule Veille - K-OTik Security
http://www.k-otik.com
[ reply ]