Cross-Domain Information Disclosure in Microsoft Outlook Express and Windows Mail
CVE-2008-1448

Currently unrated

Key Information:

Vendor: Microsoft
Status: Outlook Express; Windows Mail
Vendor: CVE Published:; 13 August 2008

Summary

A vulnerability in the MHTML protocol handler of Microsoft Outlook Express 5.5 SP2 and 6 SP1, along with Windows Mail, could allow remote attackers to bypass intended access restrictions. This occurs due to incorrect assignment of Internet Explorer Security Zones to UNC share pathnames. Attackers can exploit this flaw to read arbitrary files from the affected devices by utilizing an mhtml: URI in combination with a redirection, highlighting the importance of securing email clients against such cross-domain information disclosure threats.

References

http://www.securitytracker.com/id?1020679

vdb-entryx_refsource_SECTRACK

http://www.securityfocus.com/bid/30585

vdb-entryx_refsource_BID

http://www.us-cert.gov/cas/techalerts/TA08-225A.html

third-party-advisoryx_refsource_CERT

EPSS Score

46% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Aug 13, 2008
Vulnerability Reserved
Mar 21, 2008