MS08-015, CVE-2008-0110, addresses a vulnerability in Microsoft Outlook’s implementation of “mailto” URI handling. The attack can be launched via IE or other applications which invoke the “mailto” protocol.

Applications can register pluggable protocol handlers to handle a custom Uniform Resource Locator (URL) protocol scheme. Here “mailto” is one example of the various protocol handles that can be registered.  The “pluggable” model allows new or custom protocol schemes to be flexibly implemented and added. For a detailed description about “asynchronous pluggable protocols”, please refer to http://msdn2.microsoft.com/en-us/library/aa767916(VS.85).aspx.

The registration of the application protocol handler is controlled by the registry key: HKEY_CLASSES_ROOT\<protocol scheme>. For example, the registry key for the “mailto” protocol is: HKEY_CLASSES_ROOT\mailto

[HKEY_CLASSES_ROOT\mailto]
"EditFlags"=hex:02,00,00,00
"URL Protocol"=""
@="URL:MailTo Protocol"

[HKEY_CLASSES_ROOT\mailto\DefaultIcon]
@="\"C:\\PROGRA~1\\MICROS~2\\OFFICE11\\OUTLOOK.EXE\",7"

[HKEY_CLASSES_ROOT\mailto\shell]

[HKEY_CLASSES_ROOT\mailto\shell\open]

[HKEY_CLASSES_ROOT\mailto\shell\open\command]
@="\"C:\\PROGRA~1\\MICROS~2\\OFFICE11\\OUTLOOK.EXE\" -c IPM.Note /m \"%1\""

As shown above, “outlook.exe” is the application that will be launched to process the “mailto” protocol. You could change the shell open command to use another mail client to handle the protocol, or you could remove HKEY_CLASSES_ROOT\mailto to disable the “mailto” protocol totally, as does the work around in the bulletin. Once this key is removed, the following dialogue will pop up when IE handles the “mailto” protocol.

clip_image001[6]

The second part we would like to talk about here is a specific registry key which impacts IE behavior. The key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

The ProtocolDefaults key specifies the default security zone that is used for a particular protocol (ftp, http, https, etc). For a DWORD value under this key, the name of the DWORD value is the protocol name, and the value specifies the default security zone.

Back to our “mailto” example, if we add the following value under ProtocolDefaults:

Name: mailto
Type: REG_DWORD
Data: 0

This setting would put “mailto” in the local machine zone. Then if a page attempts to browse from internet or intranet to “mailto”, zone elevation occurs, and IE would block it. Therefore, it mitigates the attack launched via IE from internet/intranet. For more details about IE’s zone elevation feature, please refer to http://msdn2.microsoft.com/en-us/library/ms537185(VS.85).aspx.

The value for the Zones are:

   Value    Setting
   ------------------------------
   0        Local Machine Zone
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone

More details about the ProtocolDefaults key can be found in http://support.microsoft.com/kb/182569.

The reason we did not list this approach in the bulletin is that this is for IE only. The above setting won’t prevent another app from invoking the “mailto” protocol.

In general, if you feel a particular protocol is not safe (we won’t name one here J), removing the HKEY_CLASSES_ROOT\<protocol scheme> registry key can be an option, or you may consider locking down its default security zone in IE via the ProtocolDefaults setting.

- Security Vulnerability Research & Defense Bloggers

*Postings are provided "AS IS" with no warranties, and confers no rights.*