CVE-2008-1448

Name of the Vulnerable Software and Affected Versions Microsoft Outlook Express versions 5.5 SP2 through 6 SP1 Windows Mail (affected versions not specified)

Description The issue concerns the MHTML protocol handler in a component of Microsoft software, which fails to assign the correct Internet Explorer Security Zone to UNC share pathnames. This allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection.

Recommendations For Microsoft Outlook Express versions 5.5 SP2 through 6 SP1, consider restricting access to the MHTML protocol handler until a patch is available. For Windows Mail, at the moment, there is no information about a newer version that contains a fix for this vulnerability.