Home | Advisories

Outlook mailto: URL handling flaw allows code execution

March 9th, 2004

Overview

Microsoft Outlook is a popular mail client.

A vulnerability exists in Outlook which allows execution of arbitrary code when a victim user views a web page or an e-mail message created by an attacker.

Details

During Outlook installation, a mailto: URL handler is registered to the system. When a mailto: URL is opened, the system starts OUTLOOK.EXE with the following arguments:

  OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"

If the URL contains a quote symbol, additional command line arguments can be injected to OUTLOOK.EXE. The program recognizes several command line switches. Also a startup URL to be opened by Outlook can be supplied on command line. This URL can be a javascript: URL, and if the "Outlook today" page is the current view in Outlook, the JavaScript code will be executed in the "Local machine" zone. This allows an attacker to e.g. download and start a desired EXE program.

A web page or e-mail message exploiting this flaw may contain for instance an IMG tag to refer to a mailto: URL. The victim user need not click on a link.

If the "Outlook today" view isn't the default view in Outlook, the attacker can still carry out the attack by using two mailto: URLs; The information in the mitigating factors section of Microsoft's bulletin (first version) regarding this was inaccurate. The first mailto: URL would start OUTLOOK.EXE and cause it to show the "Outlook today" view, and the second one would supply the offending JavaScript code. This scenario was verified by an exploit. After getting this information, Microsoft has reclassified the issue in the highest severity class, critical.

The issue is not a standard "cross site scripting" vulnerability, but a different kind of injection attack. The exploit can inject command line switches and arguments to OUTLOOK.EXE because quote symbols in the URL aren't escaped or otherwise processed. This can be considered a new vulnerability category, and further investigation has shown that similar attacks can be carried out against other software which register a URL handler.

Affected versions

According to Microsoft the affected supported versions are Microsoft Office XP SP2 and Microsoft Outlook 2002 SP 2.

Solution

Microsoft was informed on July 21st, 2003 and has released an update to correct the problem. A bulletin describing the update can be seen here.

Credits

The vulnerability was discovered and researched by Jouko Pynnönen (jouko@iki.fi), Finland.