OT: MS and e-mail
Fairlight
fairlite at fairlite.com
Mon May 24 19:17:28 PDT 2004
Confusious (GCC Consulting) say:
> Well I think Microsoft has finally gotten it right.
>
> I am using the latest version of Outlook 2003. For those of you who aren't
How right could they have gotten it? From SANS:
*****
(1) HIGH: Microsoft Outlook Arbitrary Code Execution
Affected: Outlook 2003
Description: The default security setting of Outlook 2003 ("Restricted
Zone") does not allow execution of Active-X controls and arbitrary
scripts. However, it is reported that an email containing an embedded
OLE object such as a Windows media player, can bypass these security
checks. By exploiting this flaw in conjunction with the Outlook's flaw
of storing files specified in "img" tags at a predictable location, it
may be possible to silently execute arbitrary code on the client system.
The code would execute with the privileges of the logged-on user. A
proof-of-concept exploit has been posted.
Status: Microsoft has not confirmed, no updates available.
*****
What I found amusing was that there were about three holes in MS products
in this particular report, and there were no confirmations or patches for
them. Other third-party software all around it in the same report had
confirmations and patch or upgrade information.
Great committment to security. :)
--
Bring the web-enabling power of OneGate to -your- filePro applications today!
Try the live filePro-based, OneGate-enabled demo at the following URL:
http://www2.onnik.com/~fairlite/flfssindex.html
More information about the Filepro-list
mailing list