Vista's Windows Mail vulnerable to file-execution attack

A design error in Microsoft's Windows Mail, the e-mail application bundled into Windows Vista, could expose users to remote file-execution attacks, according to a warning from security researchers.

A hacker known as "Kingcope" published proof-of-concept code to show that remote code execution is possible if a user is tricked into clicking a malicious link.
The error is that Windows Mail will execute any executable file if a folder exists with the same name.
"For example the victim has a folder in C: named blah and a batch script named blah.bat also in C:. Now if the victim clicks on a link in the email message with the URL target set to C:lah the batch script is executed without even asking," Kingcope explained.
If a UNC path is employed in an attack, then no local files are required to be present for this issue to be exploited.
A successful attack can facilitate remote code execution and result in unauthorized access in the context of the vulnerable user.
Microsoft is investigating Kingcope's claim but a spokesman made it clear the company was "not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesman said in an e-mailed statement.