CAA: Christian Anime Alliance

The place for Christians who like anime.
http://navi.flactem.com/

CERT Announces M$ Outlook Vulnerability

http://navi.flactem.com/viewtopic.php?f=35&t=6355

Page 1 of 1

CERT Announces M$ Outlook Vulnerability

PostPosted: Thu Mar 11, 2004 7:00 am
by Mithrandir
(As though it were NEWs to people...) Anyway, I just found out about a new security vulnerability in Microsoft Outlook. I would STRONGLY recommend finding another tool if you can, but if you can't, at LEAST apply the patch...

The patch (Bulletin MS04-009) can be downloaded from here:
http://www.microsoft.com/security/security_bulletins/20040309_office.asp

Here's the pert info.

A vulnerability in the way that Microsoft Outlook 2002 handles a
certain type of URL could allow a remote attacker to execute arbitrary
code on the vulnerable system.

Microsoft Outlook provides a centralized application for managing and
organizing email messages, schedules, tasks, notes, contacts, and
other information. Outlook is included as a component of newer
versions of Microsoft Office and available as a stand-alone product.

Outlook 2002 exposes a vulnerability due to inadequate checking of
parameters passed to the Outlook email client. The vulnerability is
caused by the way a "mailto:" URL is interpreted. An attacker creating
specially formatted "mailto:" URLs can cause Outlook to run privileged
script, ultimately leading to the execution of arbitrary code. The
malicious code could be delivered to the victim via a specially
crafted HTML email message or from an intruder-controlled web page.

Microsoft originally stated that users were only at risk from this
vulnerability when Outlook 2002 is configured as the default mail
reader and when the "Outlook Today" home page is their default folder
home page. Subsequent information has been published that indicates
that this is not true and users in other situations are vulnerable via
a slightly different attack vector.

PostPosted: Thu Mar 11, 2004 7:50 am
by madphilb
I highly recommend Pegasus for Windows users. I've been using this program for a long time and have been very happy with it (it now even supports a good deal of HTML in the messages).

The main upside is that it does not support any sort of scripting in the messages, let alone Java or ActiveX, it hollars at you with big "ARE YOU SURE YOU WANT TO DO THIS..." messages if you try to run something executable, etc.

Pegasus was started as e-mail software for a college in New Zeland years ago (the college spent all their money on the computers and OS and didn't get e-mail in the mix). It's since been upgraded to Windows, supportts POP3 and now MAPI for reading e-mail. I don't know if I have the latest version but they are also supposed to be putting a full contact manager in it as well (I guess to compete with Outlook).

PostPosted: Thu Mar 11, 2004 8:07 am
by Straylight
I like using "Mozilla Thunderbird" myself, cos it feels just like Outlook, but with all the nonsense removed. Pegasus is good though.

PostPosted: Fri Mar 12, 2004 9:19 pm
by Fsiphskilm
Once again
All times are GMT-08:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/