Vista users threatened by Windows Mail exploit

Stan Beer
Saturday, 24 March 2007 08:40

Your IT - Home IT

After months of touting Vista as the answer to the prayers of users seeking a secure Windows operating system, a new critical vulnerability has arisen as a retort to  Microsoft's claims. The vulnerability in Vista's email client Windows Mail would qualify for critical status, allowing a remote code execution exploit, if addressed by Microsoft under its monthly patching cycle.

The vulnerability in Windows Mail, the successor to Outlook Express, which was exposed on the Full Disclosure security mailing list by a hacker called Kingcope, has been acknowledged by Microsoft which is reported to be investigating further.

According to the Kingcope: "Remote Code Execution is possible if a user clicks on a malicious prepared link. Vistas Mail Client will execute any executable file if a folder exists with the same name. For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking. There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd (and also a folder named winrm inside System32)."

Needless to say, the description provides a perfect example as to why email recipients should not click on links from unknown sources.

Kingcope had previously on March 10 posted a message to the Full Disclosure list advertising zero day exploits for sale.