Feeds

Serious Outlook hole patched

ActiveX threats, memory leaks, cross-site scripting and more

  • alert
  • submit to reddit

Internet Security Threat Report 2014

MS Bug Roundup MS has patched a serious vulnerability in Outlook 2002 by which an attacker could take over one's machine. At issue is an ActiveX feature, the Outlook View Control, which enables mail folders to be viewed via Web pages. In Outlook 2K the flaw doesn't give up control, but could allow for minor mischief.

MS suggested a workaround last month while it worked on a patch. The job is finished now, and the crucial 2002 patch is available here, while the more or less optional 2K patch is available here.



A CSS (

cross-site scripting

) vulnerability in Hotmail which could have allowed for considerable HTML mischief was sorted out before it became popular, thanks to

WhiteHat Security

which found it and alerted MS.

At issue is the possibility that outside content can get past HTML and JavaScript filters and into a dynamic HTML Web page, from which it could execute arbitrary code on a victim's machine.

In spite of filtering, "obfuscated content may elude the current filters and execute within the users browser environment," according to the Whitehat bulletin.

A sample exploit might be an e-mail containing HTML like this:

<HTML><BODY>
<br><STYLE TYPE="application/x-javascript">
<br>alert('JavaScript has been Executed');
<br></STYLE>
<br></BODY></HTML>

The "application/x-javascript" TYPE attribute causes the following expression to be interpreted as JavaScript, Whitehat says.

The vulnerability was reported to MS on 10 August and by the fourteenth it was fixed. It still, however, affects Netscape, and any number of other Web applications. Makes you wish you could force your e-mail client to preview and display messages as text only....



Three vulnerabilities in MS ISA (Internet Security and Acceleration) Server 2000 are being addressed in a single patch. We have the denial of service vulnerability involving the H.323 Gatekeeper Service which supports voice-over-IP traffic through the firewall, caused by a memory leak; the cross-site scripting vulnerability affecting error pages that ISA generates in response to a failed request for a web page; and the denial of service vulnerability in the in the proxy service, also caused by a memory leak. The relevant bulletin is

here

; and the patch is

here

.



A buffer overflow vulnerability in the Win-2K IrDA (infrared connection) driver could enable an attacker to cause an access violation on one's system and so cause a reboot. Since the attacker needs to be located within about two feet of the victim and have a direct line of sight to his infrared port, this one is pretty much a parlor trick. However, if anyone finds it more threatening than entertaining, MS has developed a patch for it, located

here

.

Security for virtualized datacentres

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Yes, Virginia, there IS a W3C HTML5 standard – as of now, that is
You asked for it! You begged for it! Then you gave up! And now it's HERE!
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.