OT: MS and e-mail

Fairlight fairlite at fairlite.com
Mon May 24 19:17:28 PDT 2004


Confusious (GCC Consulting) say:
> Well I think Microsoft has finally gotten it right.
> 
> I am using the latest version of Outlook 2003.  For those of you who aren't

How right could they have gotten it?  From SANS:

*****
(1) HIGH: Microsoft Outlook Arbitrary Code Execution
Affected: Outlook 2003

Description: The default security setting of Outlook 2003 ("Restricted
Zone") does not allow execution of Active-X controls and arbitrary
scripts. However, it is reported that an email containing an embedded
OLE object such as a Windows media player, can bypass these security
checks. By exploiting this flaw in conjunction with the Outlook's flaw
of storing files specified in "img" tags at a predictable location, it
may be possible to silently execute arbitrary code on the client system.
The code would execute with the privileges of the logged-on user. A
proof-of-concept exploit has been posted.

Status: Microsoft has not confirmed, no updates available.
*****

What I found amusing was that there were about three holes in MS products
in this particular report, and there were no confirmations or patches for
them.  Other third-party software all around it in the same report had
confirmations and patch or upgrade information.

Great committment to security.  :)

-- 
Bring the web-enabling power of OneGate to -your- filePro applications today!

Try the live filePro-based, OneGate-enabled demo at the following URL:
               http://www2.onnik.com/~fairlite/flfssindex.html


More information about the Filepro-list mailing list