lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040311091507.21896.qmail@www.securityfocus.com>
Date: 11 Mar 2004 09:15:07 -0000
From: K-OTiK Security <Special-Alerts@...tik.com>
To: bugtraq@...urityfocus.com
Subject: Re: Outlook mailto: URL argument injection vulnerability MS04-009
    (Now CRITICAL) !


In-Reply-To: <20040310123503.GC9654@...ko.iki.fi>

>Date: Wed, 10 Mar 2004 14:35:05 +0200
>From: Jouko Pynnonen <jouko@....fi>
>To: bugtraq@...urityfocus.com
>Subject: Outlook mailto: URL argument injection vulnerability

> [...]
>If the "Outlook today" view isn't the default view in Outlook, the 
>attacker can still carry out the attack by using two mailto: URLs; The 
>information in the mitigating factors section of Microsoft's bulletin 
>regarding this is inaccurate. The first mailto: URL would start 
>OUTLOOK.EXE and cause it to show the "Outlook today" view, and the 
>second one would supply the offending JavaScript code. This scenario 
>was verified by an exploit.
>

The Microsoft's advisory "Outlook 2002 mailto arbitrary code execution" was updated yesterday, the Maximum Severity Rating was upgraded from "Important" to "Critical".

V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update.

Best Regards.
Gilles Fabienni - Consultant Sécurité
Cellule Veille - K-OTik Security
http://www.k-otik.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ