New Breed of Attack Targets Microsoft Outlook XP Users

Microsoft upgrades Outlook XP's vulnerability to "critical" after researcher finds additional flaws; company urges patch be applied quickly

Microsoft released an “important” Outlook vulnerability notice, then reissued it with a “critical” rating when security researchers found further flaws.

Affected software includes Microsoft Office XP Service Pack 2 and Microsoft Outlook 2002 Service Pack 2. A successful attack could result in a remote code execution.

According to security researcher Jouko Pynnönen, who discovered the vulnerability, an attacker could attack Outlook and ultimately execute arbitrary code when a victim uses an attacker-created e-mail address or views a specially created Web page.

Here’s the problem: “During Outlook installation, a mailto: URL handler is registered to the system. When a mailto: URL is opened, the system starts Outlook.exe” with certain arguments, notes Pynnönen. If the URL in the e-mail address contains a quote symbol, however, an attacker can inject additional arguments into Outlook.exe.

Command-line attacks are possible, since Outlook recognizes some command line arguments. Also, “a startup URL to be opened by Outlook can be supplied on [the] command line,” says Pynnönen. Even worse, the URL can be JavaScript. “If the ‘Outlook Today’ page is the current view in Outlook, the JavaScript code will be executed in the ‘Local machine’ zone. This allows an attacker to, [for example,] … download and start a desired .exe program.”

One concern is that a user’s PC can be exploited without the user actually clicking on—or opening—anything. For example, an image tag on a Web page can be built to exploit the flaw.

The "Outlook Today" method isn't the only way in. Two “mailto:” attacks can accomplish the same thing, and it was this discovery that forced Microsoft to upgrade the vulnerability’s severity rating. The first “mailto:” would open Outlook and force it to show Outlook Today, and the second would then execute the JavaScript attack.

Pynnönen classes this as a new type of exploit. “The issue is not a standard ‘cross site scripting’ vulnerability, but a different kind of injection attack. The exploit can inject command line switches and arguments to Outlook.exe because quote symbols in the URL aren't escaped or otherwise processed.” He also warns the vulnerability could be widespread. “Further investigation has shown that similar attacks can be carried out against other software which register a URL handler.”

Microsoft Security Bulletin and patch:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.