Signature Detail

SMTP: Email With Malicious URL Hiding Encoding

This signature detects attempts to exploit a known vulnerability in Microsoft Outlook Express. Attackers can embed binary control characters in a URL that is included in an email; when the URL is viewed, these control characters prevent Outlook Express and Internet Explorer from displaying the complete URL, which can have malicious content.

Extended Description

A weakness has been reported in multiple browsers that may allow attackers to obfuscate the URI for a visited page. The problem is said to occur when a URI designed to pass access a specific location with a supplied username, contains a hexadecimal 1 value prior to the @ symbol. An attacker could exploit this issue by supplying a malicious URI pointing to a page designed to mimic that of a trusted site, and tricking a victim who follows a link into believing they are actually at the trusted location.

Affected Products

• Microsoft Internet Explorer 5.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1
• Microsoft Outlook Express 4.0
• Microsoft Outlook Express 4.0.1 SP2
• Microsoft Outlook Express 4.27.3110
• Microsoft Outlook Express 4.72.2106
• Microsoft Outlook Express 4.72.3120
• Microsoft Outlook Express 4.72.3612
• Microsoft Outlook Express 5.0
• Microsoft Outlook Express 5.0.1
• Microsoft Outlook Express 5.5
• Microsoft Outlook Express 6.0
• Microsoft Outlook XP
• Mozilla Browser 1.2.1
• MySoft Studio MyIE2 0.9.10

References

• BugTraq: 9182
• CVE: CVE-2003-1025
• URL: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
• URL: http://www.kb.cert.org/vuls/id/652278