CVE-2006-2056

Name of the Vulnerable Software and Affected Versions Internet Explorer 6 for Windows XP SP2

Description The issue allows remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler. This can be demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. It is unclear whether this issue is specific to the implementation or a problem in the Microsoft API.

Recommendations For Internet Explorer 6 on Windows XP SP2, consider disabling the handling of mailto: scheme handlers as a temporary workaround until a patch is available. Restrict access to invoking mail clients with modified command line arguments to minimize the risk of exploitation. Avoid using the mailto: scheme handler with untrusted input until the issue is resolved.