Microsoft has upgraded the severity of an Outlook vulnerability to "critical" after a new way of exploiting it surfaced this week.
The vulnerability stems from how Outlook handles mailto URLs. Specifically, the flaw allows Internet Explorer to execute script code in the Local Machine zone, according to an advisory from Microsoft. The flaw exists only in Microsoft Office XP Service Pack 2 and Microsoft Outlook 2002 Service Pack 2.
Initially, Microsoft said the flaw could only be exploited if the Outlook Today folder is being used as the homepage. Few people do that; generally, the Outlook Today folder is the default homepage only if no e-mail accounts exist. When an e-mail account is set up, the homepage changes to the inbox.
But, as it turns out, the vulnerability can be exploited even if Outlook Today isn't the homepage. To exploit the flaw, an attacker would need to send two specially crafted mailto URLs. The first would start Outlook and open the Outlook Today page, and the second would inject the exploit code. The exploit code needs to be injected into vulnerable systems either by a malicious Web site set up by the attacker or via an HTML e-mail.
When the flaw is exploited, attackers gain the same system privileges as the user. They could access files and run code on compromised systems. The potential damage is less severe if systems are configured with fewer privileges. Obviously, systems with full administrative privileges would be at more risk.
The danger posed by the vulnerability may be offset slightly by the complexity needed for an attack to be successful. Attackers would have to create a Web site that would inject the exploit code, which requires getting potential victims to view the site. Or, a second attack vector comes from creating an HTML e-mail that exploits the flaw.
People who view their e-mail in plain text will be insulated from the second mode of attack, so, until systems are patched, Microsoft recommends that vulnerable users read e-mail messages in plain text only. Those who are vulnerable include users of Outlook 2002 and Outlook Express 6.0 Service Pack 1 and later versions.
Additionally, the Outlook Today folder should not be used as the homepage. Microsoft offers the following steps for users to turn the folder off:
- In the "Folder List" window of Outlook, right-click on "Outlook Today" or "Mailbox - [User Name]."
- Select Properties for "Outlook Today" or "Mailbox - [User Name]"
- Select the "Home Page" tab.
- Uncheck "Show home page by default for this folder."
- Repeat for all other "Folder List" items labeled "Outlook Today" or "Mailbox - [User Name]."