Reported April 23, 2003, by
Microsoft.
VERSIONS
AFFECTED
·
Microsoft
Outlook Express 6.0 and 5.5
DESCRIPTION
A vulnerability in
Microsoft Outlook Express 6.0 and 5.5 can result in the execution of arbitrary
code on the vulnerable system. This vulnerability is a result of flaw in the
Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To exploit this
vulnerability, an attacker can construct a URL and either host it on a Web site
or send it by email. In the Web-based scenario, when a user clicks the
site-hosted URL, the attacker can then read or launch files already present on
the local machine.
VENDOR
RESPONSE
Microsoft has released Security Bulletin
MS03-014, "Cumulative Patch for Outlook Express (330994)," to address this
vulnerability and recommends that affected users immediately apply the
patch mentioned in the bulletin.
CREDIT
Discovered by
Microsoft.