CERT Announces M$ Outlook Vulnerability

The geek forum. PHP, Perl, HTML, hardware questions etc.. it's all in here. Got a techie question? We'll sort you out. Ask your questions or post a link to your own site here!

CERT Announces M$ Outlook Vulnerability

Postby Mithrandir » Thu Mar 11, 2004 7:00 am

(As though it were NEWs to people...) Anyway, I just found out about a new security vulnerability in Microsoft Outlook. I would STRONGLY recommend finding another tool if you can, but if you can't, at LEAST apply the patch...

The patch (Bulletin MS04-009) can be downloaded from here:
http://www.microsoft.com/security/security_bulletins/20040309_office.asp

Here's the pert info.

A vulnerability in the way that Microsoft Outlook 2002 handles a
certain type of URL could allow a remote attacker to execute arbitrary
code on the vulnerable system.

Microsoft Outlook provides a centralized application for managing and
organizing email messages, schedules, tasks, notes, contacts, and
other information. Outlook is included as a component of newer
versions of Microsoft Office and available as a stand-alone product.

Outlook 2002 exposes a vulnerability due to inadequate checking of
parameters passed to the Outlook email client. The vulnerability is
caused by the way a "mailto:" URL is interpreted. An attacker creating
specially formatted "mailto:" URLs can cause Outlook to run privileged
script, ultimately leading to the execution of arbitrary code. The
malicious code could be delivered to the victim via a specially
crafted HTML email message or from an intruder-controlled web page.

Microsoft originally stated that users were only at risk from this
vulnerability when Outlook 2002 is configured as the default mail
reader and when the "Outlook Today" home page is their default folder
home page. Subsequent information has been published that indicates
that this is not true and users in other situations are vulnerable via
a slightly different attack vector.
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby madphilb » Thu Mar 11, 2004 7:50 am

I highly recommend Pegasus for Windows users. I've been using this program for a long time and have been very happy with it (it now even supports a good deal of HTML in the messages).

The main upside is that it does not support any sort of scripting in the messages, let alone Java or ActiveX, it hollars at you with big "ARE YOU SURE YOU WANT TO DO THIS..." messages if you try to run something executable, etc.

Pegasus was started as e-mail software for a college in New Zeland years ago (the college spent all their money on the computers and OS and didn't get e-mail in the mix). It's since been upgraded to Windows, supportts POP3 and now MAPI for reading e-mail. I don't know if I have the latest version but they are also supposed to be putting a full contact manager in it as well (I guess to compete with Outlook).
PHIL

Image
Member of P.I.E. -- Pictures of Inkhana for Everyone!! Join the fight!!
Image
User avatar
madphilb
 
Posts: 1057
Joined: Thu May 29, 2003 1:46 pm
Location: Sunny St. Pete, FL

Postby Straylight » Thu Mar 11, 2004 8:07 am

I like using "Mozilla Thunderbird" myself, cos it feels just like Outlook, but with all the nonsense removed. Pegasus is good though.
[align=center]
Image
Banner above created using my avatar generator tool.
You know you want try it.
User avatar
Straylight
 
Posts: 2346
Joined: Mon May 26, 2003 12:00 pm
Location: Manchester, UK

Postby Fsiphskilm » Fri Mar 12, 2004 9:19 pm

Once again
I'm leaving CAA perminantly. i've wanted to do this for a long time but I've never gathered the courage to let go.
User avatar
Fsiphskilm
 
Posts: 3853
Joined: Mon Nov 03, 2003 12:00 pm
Location: USA


Return to Computing and Links

Who is online

Users browsing this forum: No registered users and 150 guests