By John Leyden, VNU Net
Microsoft has issued a patch for a vulnerability in its Outlook
messaging software that could allow an attacker to use a message
formatted in HTML to read files on a victim’s machine.
In a security notice on the issue, online security advisory
service CERT warned that the “Cache Bypass” vulnerability could be
used in conjunction with other techniques to allow files, which
could be Trojan Horse-style malicious code, to be placed on an
unwary user’s computer.
This is possible because the vulnerability allows attackers to
use HTML-formatted messages to store files outside a cache where
they are subject to more permissive security policies.
CERT said that the vulnerability is potentially damaging. “When
exploited, this vulnerability allows an attacker to store an HTML
file in an area that is not protected by the policies of the
‘Internet Zone’. This file may then be used to open arbitrary files
on [a] machine and send the contents back to the attacker.”
However, other security experts were careful to downplay the
seriousness of the flaw.
Matthew Pemble, an ex-military ethical hacker, and now senior
information security specialist at IS integration, said: “This
vulnerability would only allow you to read files whose default
reader is Internet Explorer – such as HTML and text files. This is
nowhere near as severe as the buffer overflow vulnerability that
affected Outlook users last week.”
“The latest vulnerability is academic until it is incorporated
in a virus,” he added.
Like the buffer overflow issue, the root cause of the latest
problem is a component that is shared by both Outlook and Outlook
Express. As a result, the vulnerability affects both products.
Microsoft has advised users to either install a patch, which it
has made available online, or to upgrade to default versions of IE
5.01 Service Pack 1 or 5.5, on any system except Windows 2000.
Separately, Microsoft has issued a patch for the buffer overflow
vulnerability allowing users to protect themselves without a full
version upgrade. This vulnerability was severe because, left
uncorrected, it could allow users to become infected with email
viruses before they download email.