Skip to main content /TECH with IDG.net
CNN.com /TECH
CNN TV
EDITIONS

Microsoft issues patch for new Outlook security hole

Computerworld

(IDG) -- Microsoft Corp. has identified another security hole in its Outlook e-mail software and said a fix is available for the glitch.

The software maker last week released a patch for its Outlook and Outlook Express clients, following the identification of a hole in the software that could allow hackers to use a vCard to disable Outlook, or run code through Outlook.

The vCard attachment is a common way to share address book information.

MESSAGE BOARD
 
IDG.net INFOCENTER
IDG.net
Related IDG.net Stories
Features
Visit an IDG site


IDG.net search



This exploit, like many viruses, will work only if the user opens an infected attachment in an e-mail document. It was reported to Microsoft by Ollie Whitehouse, a British programmer.

The patch is available from Microsoft. As always, the company urged users to follow sound security measures, which include not opening unexpected attachments, especially from strangers.

However, as evidenced by the spread of the Kournikova virus last week, users are still all too willing to open suspect attachments (see "Virus proves users, systems still vulnerable, security experts say," link below).

According to the Microsoft security advisory, "Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer."

A buffer temporarily stores data in devices or software. Programmers can design buffers to check the size of data entered into them and reject entries that are too long. When they are "unchecked," it means there is no such safeguard, and users can enter any amount of data. In the case of Outlook, the unchecked buffer would allow a malicious user to create a vCard that contains what Microsoft called "specially malformed data." When a recipient opens such a vCard, the data would overflow the available buffer size and crash the e-mail software.

"In a more serious case, a malicious user could exploit the unchecked buffer to run unauthorized code on the other user's computer," Microsoft warned.

Sara Radicati, president and CEO of The Radicati Group in Palo Alto, Calif., said she hadn't heard that this hole was a problem yet.

"This is such a low-level issue . . . it just might not have bubbled up yet," she said.




RELATED STORIES:
Judges grill Microsoft, DOJ - Feb. 26, 2001
February 26, 2001
Microsoft unveils Windows XP
February 17, 2001
Privacy group warns of e-mail wiretap
February 5, 2001
Web site problems strike again for Microsoft
January 26, 2001
Security holes found in Windows Media Player
November 27, 2000

RELATED IDG.net STORIES:
Virus proves users, systems still vulnerable, security experts say
(Computerworld)
Microsoft Outlook target of new worms, viruses
(IDG.net)
How to batten down the hatches on Media Player, Outlook, Explorer
(PCWorld.com)
Microsoft scrambling to fix new Outlook security hole
(Computerworld)
Microsoft to issue Outlook security patch
(Computerworld)
Defending against Outlook viruses
(Network World Fusion)
Security holes found in Windows Media Player
(IDG.net)
Security hole in IE 5.5 allows attackers to view files, Web pages
(Computerworld)

RELATED SITES:
Microsoft Corp.



Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


 Search   





MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 













Back to the top