OT: MS and e-mail

Bill Vermillion fp at wjv.com
Mon May 24 19:42:28 PDT 2004


On Mon, May 24, 2004 at 10:17:28PM -0400, Fairlight thus spoke:
> Confusious (GCC Consulting) say:
> > Well I think Microsoft has finally gotten it right.

> > I am using the latest version of Outlook 2003.  For those of you who aren't
> 
> How right could they have gotten it?  From SANS:

> *****
> (1) HIGH: Microsoft Outlook Arbitrary Code Execution
> Affected: Outlook 2003

> Description: The default security setting of Outlook 2003 ("Restricted
> Zone") does not allow execution of Active-X controls and arbitrary
> scripts. However, it is reported that an email containing an embedded
> OLE object such as a Windows media player, can bypass these security
> checks. By exploiting this flaw in conjunction with the Outlook's flaw
> of storing files specified in "img" tags at a predictable location, it
> may be possible to silently execute arbitrary code on the client system.
> The code would execute with the privileges of the logged-on user. A
> proof-of-concept exploit has been posted.

It has been noted by security people that shortly after a
proof-of-concept is announced someone finds away around it.

Not that last line about 'privledges of a logged-on user'.  This
means that if you are running XP your normal account should not
have adminstrator privledges.  Save that for 'admin' or some other
adminstrative login.  It may help a little.

Bill
-- 
Bill Vermillion - bv @ wjv . com


More information about the Filepro-list mailing list