Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1448

Overview

Vulnerability Score 7.1 7.1
CVE Id CVE-2008-1448
Last Modified 20 Jun 2011 12:00:00
Published 12 Aug 2008 08:41:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-1448

Summary

The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability."

Vulnerable Systems

Application

  • Microsoft Outlook Express 5.5

  • Microsoft Outlook Express 6.0

  • Microsoft Windows Mail


References

CERT - TA08-225A

BID - 30585

MS - MS08-048

SECUNIA - 31415

VUPEN - ADV-2008-2352

SECTRACK - 1020680

SECTRACK - 1020679

BUGTRAQ - 20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass

MISC - http://www.coresecurity.com/content/internet-explorer-zone-elevation

HP - SSRT080117

HP - HPSBST02360


Last Updated: 27 May 2016 10:47:28