Feeds

Two new exploits run without victims' action

And guess whose $oftware is implicated....

  • alert
  • submit to reddit

Security for virtualized datacentres

It's been a busy week for software bug hunters. First, users of Microsoft Outlook and Outlook Express will be bitterly disappointed to learn that they are now potential sport of an e-mail exploit which will run automatically, without any action from the victim, a possibility which has been predicted for years while Redmond has persistently ignored it.

Malicious code can be concealed in an e-mail header to trigger a buffer overflow, after which an attacker can include commands which will run as if they had been entered by the victim.

Once that's been accomplished, the sky's the limit in terms of what an imaginative attacker could do to a victim's computer - from viewing or sending files to a remote location, changing system settings, deleting files, uploading and executing Trojans, re-formatting a hard disk - virtually anything is possible.

"Clearly this is a serious vulnerability," Microsoft security program manager Scott Culp, warbled during a telephone interview with the Associated Press on Wednesday. (We told you these guys were brilliant.)

Australian Aaron Drew posted his findings Tuesday to the NTBugTraq mailing list, complete with sample code. South American security outfit USSR Labs had also found the exploit approximately two weeks ago but did not announce it in hopes that Redmond would cobble together a fix first.

Microsoft says the hole will not affect users running Outlook in "corporate and workgroup mode"; only those running it in "Internet-only mode", and home users of Outlook Express, are vulnerable.

Microsoft said the problem is in Internet Explorer, and the company recommends that users upgrade to IE 5.01, Service Pack 1. Internet Explorer 5.5 is safe for all users, except those running Windows 2000, who also need to download IE 5.01 SP1.

Microsoft's security bulletin may be found here, while the service pack can be found here.

If that wasn't bad enough, the US System Administration, Networking, and Security (SANS) Institute found another Microsoft weakness, this time involving ActiveX controls, which it called "probably the most dangerous programming error in Windows workstation (all varieties - 95, 98, 2000, NT 4.0) that Microsoft has made".

A SANS security alert states that users are vulnerable to a total system compromise when they preview or read an infected e-mail message if they're running any of the affected operating systems and have Microsoft Access 97 or 2000, Internet Explorer 4.0 or higher, including version 5.5 that ships with Windows 2000.

The exploit was first discovered 27 June, but Microsoft requested that SANS not release the details until a fix could be developed.

Users running systems with Outlook, Outlook Express, Eudora, or any mail client which uses Internet Explorer to render HTML documents are also vulnerable to this exploit through e-mail, SANS says.

According to the advisory, an attacker can get into Microsoft Access using ActiveX controls without the victim knowing that it's happening. Malicious code can be written so as to execute before the victim is warned, the Institute explains. Even when the victim has disabled active scripting, the code can run.

All Windows systems (Windows 2000, NT 4.0, 98 and 95) are vulnerable if they have the following installed: Microsoft Excel 2000 or PowerPoint 97 or 2000; Internet Explorer 4.0 or higher, including 5.5; Outlook, Outlook Express, Eudora, or any other mail reader that uses IE to render HTML.

A complete workaround is available here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.