Unsafe functionality exposure in MS Outlook

Reported July 13, 2001, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Outlook 2002, 2000, and 98

 

DESCRIPTION
A vulnerability exists in Microsoft Outlook that might let a malicious attacker manipulate Outlook data. This vulnerability stems from the Outlook View Control ActiveX control, which lets users view Outlook mail folders from Web pages. This ActiveX control exposes a function that might let the Web page manipulate Outlook data, and thereby let an attacker delete mail, change calendar information, or take other actions through Outlook, including running arbitrary code on the user's machine.

 

VENDOR RESPONSE

The vendor, Microsoft, has released security bulletin MS01-038 for this vulnerability. A patch will be available in the near future, but as a workaround, Microsoft recommends applying the Outlook 2000 SR-1 security update and temporarily disabling ActiveX controls in Internet Explorer’s (IE's) Internet security zone.

 

CREDIT
Discovered by Georgi Guninski.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish