Skip navigation

MHTML Arbitrary Code Execution in Microsoft Outlook Express

Reported April 23, 2003, by Microsoft.





·         Microsoft Outlook Express 6.0 and 5.5




A vulnerability in Microsoft Outlook Express 6.0 and 5.5 can result in the execution of arbitrary code on the vulnerable system. This vulnerability is a result of flaw in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To exploit this vulnerability, an attacker can construct a URL and either host it on a Web site or send it by email. In the Web-based scenario, when a user clicks the site-hosted URL, the attacker can then read or launch files already present on the local machine.



Microsoft has released Security Bulletin MS03-014, "Cumulative Patch for Outlook Express (330994)," to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.



Discovered by Microsoft.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.