CVE-2001-0538
published 2001-08-14CVE-2001-0538: Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
52.85%
98.8th percentile
Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail message or web page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | outlook | <= 2002 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The Microsoft Outlook View Control ActiveX is marked 'safe for scripting', allowing untrusted scripts (e.g., in HTML email or web pages) to instantiate it and access/manipulate Outlook email objects without user interaction. Detect instantiation of this control from web/email contexts. ↗
- →Exploit code uses a delayed script execution pattern (setTimeout with ~2000ms) to trigger malicious ActiveX operations after page/email load. Monitor for setTimeout-based ActiveX invocations in HTML email or web content. ↗
- →Exploitation chain pivots from the Outlook View Control to spawning WScript.Shell via CreateObject, then executing arbitrary commands via CMD.EXE. Monitor Outlook processes for child process creation of cmd.exe or wscript.exe. ↗
- →Scripts access email body and subject through the Outlook View Control selection object (sel.Item(1).Body / .HTMLBody / .Subject). Anomalous script-level access to Outlook mail item properties from browser or HTML email context is indicative of exploitation. ↗
- ·Exploitation requires the victim to have at least one message present in Outlook XP's Inbox at the time the malicious HTML email or web page is rendered. ↗
- ·The vulnerability affects Microsoft Outlook 98, 2000, and 2002 (Outlook XP) and earlier versions where the Outlook View Control ActiveX is present and marked safe for scripting. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Outlook 98/2000/2002 - Unauthorized Email Access
exploitdb·2001-07-12
CVE-2001-0538 Microsoft Outlook 98/2000/2002 - Unauthorized Email Access
Microsoft Outlook 98/2000/2002 - Unauthorized Email Access
---
source: https://www.securityfocus.com/bid/3025/info
Microsoft Outlook introduces a vulnerability that may allow attackers to access and manipulate user email.
The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts.
Scripts can access and perform operations on user email through this control without user knowledge or consent.
This assumes you have at least one message in Outlook XP's Inbox
function f()
{
//alert(o2.object);
sel=o1.object.selection;
vv1=sel.Item(1);
alert("Subject="+vv1.Subject);
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
alert("May be deleted");
Exploit-DB
Microsoft Outlook 98/2000/2002 - Arbitrary Code Execution
exploitdb·2001-07-12
CVE-2001-0538 Microsoft Outlook 98/2000/2002 - Arbitrary Code Execution
Microsoft Outlook 98/2000/2002 - Arbitrary Code Execution
---
source: https://www.securityfocus.com/bid/3026/info
Microsoft Outlook introduces a vulnerability that may allow attackers to execute arbitrary commands on a target system.
The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts.
Scripts can execute commands without user knowledge or consent.
This assumes you have at least one message in Outlook XP's Inbox
function f()
{
//alert(o2.object);
sel=o1.object.selection;
vv1=sel.Item(1);
alert("Subject="+vv1.Subject);
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
alert("May be deleted");
//vv1.Delete();
vv2=vv1.Session.App
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=99496431214078&w=2http://www.ciac.org/ciac/bulletins/l-113.shtmlhttp://www.kb.cert.org/vuls/id/131569http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=862http://www.securityfocus.com/bid/3025https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-038https://exchange.xforce.ibmcloud.com/vulnerabilities/6831http://marc.info/?l=bugtraq&m=99496431214078&w=2http://www.ciac.org/ciac/bulletins/l-113.shtmlhttp://www.kb.cert.org/vuls/id/131569http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=862http://www.securityfocus.com/bid/3025https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-038https://exchange.xforce.ibmcloud.com/vulnerabilities/6831
2001-08-14
Published