Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Computer Learning -- Ignore unavailable to you. Want to Upgrade?

To: bosquedog who wrote (21332)	7/13/2001 10:54:49 PM
From: SIer formerly known as Joe B.	Respond to of 110655

Outlook E-mail Vulnerability Found Friday July 13 05:36 PM EDT dailynews.yahoo.com By Computerworld A hole in its software could let an attacker run malicious code on a victim's computer via either a Web page or HTML e-mail. (The Industry Standard) A vulnerability in an ActiveX control shipped with Microsoft's Outlook 98, Outlook 2000 or Outlook 2002 e-mail software could let an attacker run malicious code on a victim's computer via either a Web page or HTML e-mail. The defect lies in the Microsoft Outlook View Control, an ActiveX control that allows Outlook mail folders to be viewed via Web pages, according to Microsoft. The company alerted Technical Account Managers who are part of its worldwide support network to encourage users to apply administrative measures outlined in an updated advisory the company released this morning. Normally, the control should only allow users to passively view mail or calendar data. But the vulnerability could expose a function that allows Web pages to actively manipulate Outlook data, thus allowing attackers to delete mail, change calendar information or run destructive code on a victim's computer via Outlook, the advisory said. There are two ways in which users can expose themselves to the vulnerability, said Scott Culp, a program manager at Microsoft's security team. One is by simply visiting a malicious Web page; the other is by opening up malicious HTML e-mail, Culp said. "It is not needed for users to open or click on attachments" for the control to be invoked, said Georgi Guninski, the Bulgarian bug-hunter who first reported the problem to Microsoft on July 9. Users can trigger the malicious code simply by visiting a Web page or by previewing Outlook e-mail messages, he said in an e-mail to Computerworld. "It is extremely easy to find the vulnerability. ... I found it very quickly after I installed Office XP," Guninski said. "And if Outlook 98 is affected, as Microsoft states in their advisory, this means it has been around for years." Guninski has been responsible for discovering dozens of similar bugs in Microsoft products. However, his decision to publish details of the latest vulnerability and how to exploit it, before Microsoft has had a chance to fix the problem, was irresponsible, Culp said. "As a direct result of Mr. Guninski's actions, customers are exposed to a far greater risk than they would have been" if he had simply given Microsoft a chance to respond, Culp said. As it is, Microsoft's advisory just warns users of the problem and advises them how to work around it by temporarily disabling ActiveX controls in the IE Internet Zone. Customers need to also ensure that they have installed the Outlook E-mail Security Update that Microsoft has made available, Culp said. The Update causes HTML e-mails to be opened in a restricted zone where ActiveX controls are disabled by default. Culp claimed Microsoft is working on a patch to fix the problem, but it didn't give any estimates on when it would be available. "Because Mr. Guninski chose to publicize this in such an irresponsible manner, customers are going to be forced to touch their systems twice" to fix the problem, he said. The first time will be to implement the work-around and the second time to install the patch, Culp explained.