Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1448


Vulnerability Score 7.1 7.1
CVE Id CVE-2008-1448
Last Modified 20 Jun 2011 12:00:00
Published 12 Aug 2008 08:41:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE



The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability."

Vulnerable Systems


  • Microsoft Outlook Express 5.5

  • Microsoft Outlook Express 6.0

  • Microsoft Windows Mail


CERT - TA08-225A

BID - 30585

MS - MS08-048

SECUNIA - 31415

VUPEN - ADV-2008-2352

SECTRACK - 1020680

SECTRACK - 1020679

BUGTRAQ - 20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass


HP - SSRT080117

HP - HPSBST02360

Last Updated: 27 May 2016 10:47:28