HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-128
Microsoft Outlook Express and Windows Mail MHTML Handler Cross-Domain Information Disclosure Vulnerability

Original Issue Date: August 14, 2008

Severity Rating: Medium

Systems Affected

Microsoft Outlook Express 6 SP1 and prior is vulnerable when running on the following systems:

  • Windows 2000 SP4 and prior
  • Windows XP SP3 and prior
  • Windows XP Professional x64 Edition SP2 and prior
  • Windows Server 2003 SP2 and prior
  • Windows Server 2003 x64 Edition SP2 and prior
  • Windows Server 2003 with SP2 and prior for Itanium-based Systems

Microsoft Windows Mail is vulnerable when running on the following systems:

  • Windows Vista SP1 and prior
  • Windows Vista x64 Edition SP1 and prior
  • Windows Server 2008 for 32-bit Systems
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for Itanium-based Systems
  • Microsoft Internet Explorer

Overview

An information disclosure vulnerability has been reported in Microsoft Outlook Express and Windows Mail that could allow an unauthenticated, remote attacker to gain access to sensitive information.

Description

 The vulnerability exists due to the incorrect interpretation of MHTML URL redirections by MHTML protocol handler. Outlook Express or Windows Mail is the default handler for MHTML content on affected systems.  The affected applications do not properly process MHTML content, allowing content to access information across Internet Explorer security zones or domains.

An unauthenticated, remote attacker could exploit the vulnerability by constructing a specially crafted web page and convincing a user to visit the page containing malicious MHTML content.  If successful, the attacker could view sensitive information from other security zones, possibly resulting in the disclosure of sensitive information, such as cookie-based authentication credentials.

Workarounds

  • Lockdown the MHTML protocol handler

Internet Explorer can be configured to lock down HTML content from particular network protocols in additional zones besides the Local Machine zone. For details refer MS08-048

  • Ensure that an attacker would have no way to force users to visit the specially crafted Web sites.
  • Use Enhanced Security Configuration for internet explorer.
  • Avoid Active Scripting and ActiveX controls usage when reading HTML e-mail messages.

Solution

 Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-048


Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-048.mspx

References

 FrSIRT
http://www.frsirt.com/english/advisories/2008/2352

Cisco
http://tools.cisco.com/security/center/viewAlert.x?
alertId=16404

SecurityTracker
http://www.securitytracker.com/alerts/2008/Aug/1020680.html

Secunia
http://secunia.com/cve_reference/CVE-2008-1448/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003