In-Reply-To: <20040310123503.GC9654@jouko.iki.fi> >Date: Wed, 10 Mar 2004 14:35:05 +0200 >From: Jouko Pynnonen <jouko@iki.fi> >To: bugtraq@securityfocus.com >Subject: Outlook mailto: URL argument injection vulnerability > [...] >If the "Outlook today" view isn't the default view in Outlook, the >attacker can still carry out the attack by using two mailto: URLs; The >information in the mitigating factors section of Microsoft's bulletin >regarding this is inaccurate. The first mailto: URL would start >OUTLOOK.EXE and cause it to show the "Outlook today" view, and the >second one would supply the offending JavaScript code. This scenario >was verified by an exploit. > The Microsoft's advisory "Outlook 2002 mailto arbitrary code execution" was updated yesterday, the Maximum Severity Rating was upgraded from "Important" to "Critical". V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update. Best Regards. Gilles Fabienni - Consultant Sécurité Cellule Veille - K-OTik Security http://www.k-otik.com
