OT: MS and e-mail
Bill Vermillion
fp at wjv.com
Mon May 24 19:42:28 PDT 2004
On Mon, May 24, 2004 at 10:17:28PM -0400, Fairlight thus spoke:
> Confusious (GCC Consulting) say:
> > Well I think Microsoft has finally gotten it right.
> > I am using the latest version of Outlook 2003. For those of you who aren't
>
> How right could they have gotten it? From SANS:
> *****
> (1) HIGH: Microsoft Outlook Arbitrary Code Execution
> Affected: Outlook 2003
> Description: The default security setting of Outlook 2003 ("Restricted
> Zone") does not allow execution of Active-X controls and arbitrary
> scripts. However, it is reported that an email containing an embedded
> OLE object such as a Windows media player, can bypass these security
> checks. By exploiting this flaw in conjunction with the Outlook's flaw
> of storing files specified in "img" tags at a predictable location, it
> may be possible to silently execute arbitrary code on the client system.
> The code would execute with the privileges of the logged-on user. A
> proof-of-concept exploit has been posted.
It has been noted by security people that shortly after a
proof-of-concept is announced someone finds away around it.
Not that last line about 'privledges of a logged-on user'. This
means that if you are running XP your normal account should not
have adminstrator privledges. Save that for 'admin' or some other
adminstrative login. It may help a little.
Bill
--
Bill Vermillion - bv @ wjv . com
More information about the Filepro-list
mailing list