New Breed of Attack Targets Microsoft Outlook XP Users
Microsoft upgrades Outlook XP's vulnerability to "critical" after researcher finds additional flaws; company urges patch be applied quickly
Microsoft released an “important” Outlook vulnerability notice, then reissued it with a “critical” rating when security researchers found further flaws.
Affected software includes Microsoft Office XP Service Pack 2 and Microsoft Outlook 2002 Service Pack 2. A successful attack could result in a remote code execution.
According to security researcher Jouko Pynnönen, who discovered the vulnerability, an attacker could attack Outlook and ultimately execute arbitrary code when a victim uses an attacker-created e-mail address or views a specially created Web page.
Here’s the problem: “During Outlook installation, a mailto: URL handler is registered to the system. When a mailto: URL is opened, the system starts Outlook.exe” with certain arguments, notes Pynnönen. If the URL in the e-mail address contains a quote symbol, however, an attacker can inject additional arguments into Outlook.exe.
One concern is that a user’s PC can be exploited without the user actually clicking on—or opening—anything. For example, an image tag on a Web page can be built to exploit the flaw.
Pynnönen classes this as a new type of exploit. “The issue is not a standard ‘cross site scripting’ vulnerability, but a different kind of injection attack. The exploit can inject command line switches and arguments to Outlook.exe because quote symbols in the URL aren't escaped or otherwise processed.” He also warns the vulnerability could be widespread. “Further investigation has shown that similar attacks can be carried out against other software which register a URL handler.”
Microsoft Security Bulletin and patch: http://www.microsoft.com/technet/security/bulletin/offmar04.mspx
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.