CVE-2004-0284

Vulnerability

Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 contain a denial of service vulnerability when processing URLs that include two null characters (%00) appended after the host name. This affects systems where the 'Do not save encrypted pages to disk' option is disabled. The bug exists in the URL parsing code, causing the browser or email client to enter an infinite loop or consume excessive CPU resources upon encountering the malformed URL. All patches applied up to and excluding MS04-004 for IE are affected [1].

Exploitation

An attacker can exploit this remotely without requiring any prior authentication or user interaction beyond the victim visiting a malicious web page or opening a specially crafted HTML email in Outlook. The attacker controls a web server or sends an email containing a URL such as http://example.com%00%00/. When the user accesses the URL, Internet Explorer or Outlook will attempt to parse it and immediately hang, consuming 100% CPU resources. The user must terminate the application via Task Manager to regain normal operation [1].

Impact

Successful exploitation results in a denial of service (DoS) condition for the affected application (Internet Explorer, Outlook 2002, or Outlook 2003). The application becomes completely unresponsive, consuming all available CPU resources. This can disrupt user productivity and prevent access to web content or email. No data is compromised, and the attacker does not gain code execution or elevated privileges [1].

Mitigation

Microsoft released security update MS04-004 in February 2004 which addresses this vulnerability. The update is available for Internet Explorer 6.0, Outlook 2002, and Outlook 2003. As a workaround, users can disable the 'Do not save encrypted pages to disk' option, but this is not recommended as it may expose other risks. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should apply the update or upgrade to a supported version of the software [1].