Feeds

Serious Outlook hole patched

ActiveX threats, memory leaks, cross-site scripting and more

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

MS Bug Roundup MS has patched a serious vulnerability in Outlook 2002 by which an attacker could take over one's machine. At issue is an ActiveX feature, the Outlook View Control, which enables mail folders to be viewed via Web pages. In Outlook 2K the flaw doesn't give up control, but could allow for minor mischief.

MS suggested a workaround last month while it worked on a patch. The job is finished now, and the crucial 2002 patch is available here, while the more or less optional 2K patch is available here.



A CSS (

cross-site scripting

) vulnerability in Hotmail which could have allowed for considerable HTML mischief was sorted out before it became popular, thanks to

WhiteHat Security

which found it and alerted MS.

At issue is the possibility that outside content can get past HTML and JavaScript filters and into a dynamic HTML Web page, from which it could execute arbitrary code on a victim's machine.

In spite of filtering, "obfuscated content may elude the current filters and execute within the users browser environment," according to the Whitehat bulletin.

A sample exploit might be an e-mail containing HTML like this:

<HTML><BODY>
<br><STYLE TYPE="application/x-javascript">
<br>alert('JavaScript has been Executed');
<br></STYLE>
<br></BODY></HTML>

The "application/x-javascript" TYPE attribute causes the following expression to be interpreted as JavaScript, Whitehat says.

The vulnerability was reported to MS on 10 August and by the fourteenth it was fixed. It still, however, affects Netscape, and any number of other Web applications. Makes you wish you could force your e-mail client to preview and display messages as text only....



Three vulnerabilities in MS ISA (Internet Security and Acceleration) Server 2000 are being addressed in a single patch. We have the denial of service vulnerability involving the H.323 Gatekeeper Service which supports voice-over-IP traffic through the firewall, caused by a memory leak; the cross-site scripting vulnerability affecting error pages that ISA generates in response to a failed request for a web page; and the denial of service vulnerability in the in the proxy service, also caused by a memory leak. The relevant bulletin is

here

; and the patch is

here

.



A buffer overflow vulnerability in the Win-2K IrDA (infrared connection) driver could enable an attacker to cause an access violation on one's system and so cause a reboot. Since the attacker needs to be located within about two feet of the victim and have a direct line of sight to his infrared port, this one is pretty much a parlor trick. However, if anyone finds it more threatening than entertaining, MS has developed a patch for it, located

here

.

Boost IT visibility and business value

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.