Microsoft security: moderate to incomplete

By Matt Whipp

Posted on 5 Dec 2002 at 11:53

Microsoft has published two new patches for vulnerabilities in its products it rates as moderate.

The most serious, however, looks to be a flaw in Outlook 2002. Outlook 2002 clients that connect using POP3, IMAP or WebDAV protocols could be subject to attacks that cause the program to fail.

An attacker could create a malformed email that would exploit a flaw that occurs in the way Outlook 2002 processes header information. The target recipient would find that their client fails as long as the malformed email remains on the email server. Although an attacker would not have access to data stored on the email server, the exlpoit could potentially be used for a distributed denial of service attack.

Next up is a moderate alert for Internet Explorer 5.5 and 6 to a vulnerability that occurs because the security checks that IE runs on Web pages are incomplete. In short, if an attacker could persuade a target to view a specially crafted Web page or email, then they could potentially read files on the target system (but not modify them).

Microsoft rates the vulnerability as moderate because of the extreme difficulty of successfully exploiting it. An attacker would need to know the exact name and location of where a particular element is being cached. Additionally, Outlook Express 6.0 and Outlook 2002 in their default set-ups will block an HTML email attack as they open emails in a 'restricted zone'.

Moderate they may be, but patches are available at:

office.microsoft.com/downloads/2002/olk1005.aspx for the Outlook flaw.

www.microsoft.com/windows/ie/downloads/critical/q324929/default.asp for the IE flaw.