Reported July 13, 2001, by Microsoft.
VERSIONS AFFECTED
-
Microsoft Outlook 2002, 2000, and 98
DESCRIPTION
A
vulnerability exists in Microsoft Outlook that might let a malicious attacker
manipulate Outlook data. This vulnerability stems from the Outlook View Control
ActiveX control, which lets users view Outlook mail folders from Web pages. This
ActiveX control exposes a function that might let the Web page manipulate
Outlook data, and thereby let an attacker delete mail, change calendar
information, or take other actions through Outlook, including running arbitrary
code on the user's machine.
VENDOR RESPONSE
The vendor, Microsoft, has released security bulletin MS01-038 for this vulnerability. A patch will be available in the near future, but as a workaround, Microsoft recommends applying the Outlook 2000 SR-1 security update and temporarily disabling ActiveX controls in Internet Explorer’s (IE's) Internet security zone.
CREDIT
Discovered by Georgi
Guninski.