14 DAY TRIAL // Windows Vista is wide open to remote code execution via a flaw in Windows Mail. Designed as a successor to Outlook Express, the free email client is an integer part of Windows Vista, shipping by default with the operating system. On March 23 2007, a client-side vulnerability allowing for remote code execution in Windows Mail was published on Full Disclosure. The report claims that the vulnerability was successfully tested on a copy of Windows Vista Ultimate.
"Remote Code Execution is possible if a user clicks on a malicious prepared link. Vistas Mail Client will execute any executable file if a folder exists with the same name. For example the victim has a folder in C: named blah and a batch script named blah.bat also in C:. Now if the victim clicks on a link in the email message with the URL target set to C: lah the batch script is executed without even asking. There is for example a CMD script by default in C:WindowsSystem32 named winrm.cmd (and also a folder named winrm inside System32)," Full Disclosure informed.
Microsoft did not confirm the validity of the vulnerability, but it did acknowledge the fact that it is investigating the issue. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," a Microsoft representative commented.
Considering the fact that Windows Mail is the default Mail Client in Windows Vista and that the vulnerability allows an attacker to execute and run applications on Vista machines, the flaw can be considered as impacting the operating system directly.