CVE-2006-2055

Name of the Vulnerable Software and Affected Versions Microsoft Outlook version 2003 SP1

Description The issue allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler. This can be demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. It is unclear whether this issue is specific to the implementation or a problem in the Microsoft API.

Recommendations For Microsoft Outlook version 2003 SP1, consider restricting the use of the mailto: scheme handler to minimize the risk of exploitation until a fix is available. Avoid using " (double quote) characters in the scheme handler to prevent argument injection.