Linux Today: Linux News On Internet Time.

More on LinuxToday

VNU Net: Microsoft hit by further Outlook bug

Jul 27, 2000, 23:12 (10 Talkback[s])
(Other stories by John Leyden)

By John Leyden, VNU Net

Microsoft has issued a patch for a vulnerability in its Outlook messaging software that could allow an attacker to use a message formatted in HTML to read files on a victim's machine.

In a security notice on the issue, online security advisory service CERT warned that the "Cache Bypass" vulnerability could be used in conjunction with other techniques to allow files, which could be Trojan Horse-style malicious code, to be placed on an unwary user's computer.

This is possible because the vulnerability allows attackers to use HTML-formatted messages to store files outside a cache where they are subject to more permissive security policies.

CERT said that the vulnerability is potentially damaging. "When exploited, this vulnerability allows an attacker to store an HTML file in an area that is not protected by the policies of the 'Internet Zone'. This file may then be used to open arbitrary files on [a] machine and send the contents back to the attacker."

However, other security experts were careful to downplay the seriousness of the flaw.

Matthew Pemble, an ex-military ethical hacker, and now senior information security specialist at IS integration, said: "This vulnerability would only allow you to read files whose default reader is Internet Explorer - such as HTML and text files. This is nowhere near as severe as the buffer overflow vulnerability that affected Outlook users last week."

"The latest vulnerability is academic until it is incorporated in a virus," he added.

Like the buffer overflow issue, the root cause of the latest problem is a component that is shared by both Outlook and Outlook Express. As a result, the vulnerability affects both products.

Microsoft has advised users to either install a patch, which it has made available online, or to upgrade to default versions of IE 5.01 Service Pack 1 or 5.5, on any system except Windows 2000.

Separately, Microsoft has issued a patch for the buffer overflow vulnerability allowing users to protect themselves without a full version upgrade. This vulnerability was severe because, left uncorrected, it could allow users to become infected with email viruses before they download email.

Related Stories: