|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Alert: Microsoft Security Bulletin MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
From: Russ (Russ.Cooper
RC.ON.CA)
Date: Tue Mar 09 2004 - 18:44:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Microsoft Security Bulletin MS04-009:
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-009.mspx
Summary:
Version Number: V1.0
Revision Date: 03-09-2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Patch(es) Replaced: None
Caveats: None
CVE Number(s): CAN-2004-0121
Tested Software:
Affected Software:
* Microsoft Office XP Service Pack 2
<http://www.ntbugtraq.com/link/MS04-009-0.asp>
* Microsoft Outlook 2002 Service Pack 2
<http://www.ntbugtraq.com/link/MS04-009-1.asp>
Software Not Affected:
* Microsoft Office 2000 Service Pack 3
* Microsoft Office XP Service Pack 3
* Microsoft Office 2003
* Microsoft Outlook 2000 Service Pack 3
* Microsoft Outlook 2002 Service Pack 3
* Microsoft Outlook 2003
Technical Description:
A security vulnerability exists within Outlook 2002 that could allow
Internet Explorer to execute script code in the Local Machine zone on an
affected system. The parsing of specially crafted mailto URLs by Outlook
2002 causes this vulnerability. To exploit this vulnerability, an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit the vulnerability and then persuade a user to
view the Web page.
The attacker could also create an HTML e-mail message designed to
exploit the vulnerability and persuade the user to view the HTML e-mail
message. After the user has visited the malicious Web site or viewed the
malicious HTML e-mail message an attacker who successfully exploited
this vulnerability could access files on a user's system or run
arbitrary code on a user's system. This code would run in the security
context of the currently logged-on user. Outlook 2002 is available as a
separate product and is also included as part of Office XP.
This email is sent to NTBugtraq automagically as a service to my
subscribers. (v3)
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]