Microsoft patches e-mail editing hole in Outlook

A security vulnerability that could affect users of Microsoft Corp.’s Outlook 2000 and 2002 e-mail clients who use the company’s Word application as an e-mail editor has been patched, according to an advisory from Microsoft.

The vulnerability results from different security settings in the two applications used when an e-mail is being read and when it is being written, Microsoft said. When an e-mail is displayed in Outlook, the program uses the security settings of Internet Explorer, often configured to disallow the execution of scripts. When the e-mail is replied to or forwarded using Microsoft Word as the application to write the e-mail, Word’s security settings are used, which allow scripts to be run, the company said.

If an attacker were to send an HTML (Hypertext Markup Language) e-mail containing a script to a user who had their PC configured this way, then any code of the attacker’s choice could be run on the target PC if the user replied to or forwarded the e-mail, said Microsoft, based in Redmond, Wash.

Users who have applied Office XP Service Pack 1 are protected against this hole, the company said.

This issue was also the subject of a recent vulnerability announcement by independent security researcher Georgi Guninski.

More information about the flaw and the patch to fix it are available at http://www.microsoft.com/technet/security/bulletin/ms02-021.asp.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News