Feeds

Serious Outlook hole patched

ActiveX threats, memory leaks, cross-site scripting and more

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

MS Bug Roundup MS has patched a serious vulnerability in Outlook 2002 by which an attacker could take over one's machine. At issue is an ActiveX feature, the Outlook View Control, which enables mail folders to be viewed via Web pages. In Outlook 2K the flaw doesn't give up control, but could allow for minor mischief.

MS suggested a workaround last month while it worked on a patch. The job is finished now, and the crucial 2002 patch is available here, while the more or less optional 2K patch is available here.



A CSS (

cross-site scripting

) vulnerability in Hotmail which could have allowed for considerable HTML mischief was sorted out before it became popular, thanks to

WhiteHat Security

which found it and alerted MS.

At issue is the possibility that outside content can get past HTML and JavaScript filters and into a dynamic HTML Web page, from which it could execute arbitrary code on a victim's machine.

In spite of filtering, "obfuscated content may elude the current filters and execute within the users browser environment," according to the Whitehat bulletin.

A sample exploit might be an e-mail containing HTML like this:

<HTML><BODY>
<br><STYLE TYPE="application/x-javascript">
<br>alert('JavaScript has been Executed');
<br></STYLE>
<br></BODY></HTML>

The "application/x-javascript" TYPE attribute causes the following expression to be interpreted as JavaScript, Whitehat says.

The vulnerability was reported to MS on 10 August and by the fourteenth it was fixed. It still, however, affects Netscape, and any number of other Web applications. Makes you wish you could force your e-mail client to preview and display messages as text only....



Three vulnerabilities in MS ISA (Internet Security and Acceleration) Server 2000 are being addressed in a single patch. We have the denial of service vulnerability involving the H.323 Gatekeeper Service which supports voice-over-IP traffic through the firewall, caused by a memory leak; the cross-site scripting vulnerability affecting error pages that ISA generates in response to a failed request for a web page; and the denial of service vulnerability in the in the proxy service, also caused by a memory leak. The relevant bulletin is

here

; and the patch is

here

.



A buffer overflow vulnerability in the Win-2K IrDA (infrared connection) driver could enable an attacker to cause an access violation on one's system and so cause a reboot. Since the attacker needs to be located within about two feet of the victim and have a direct line of sight to his infrared port, this one is pretty much a parlor trick. However, if anyone finds it more threatening than entertaining, MS has developed a patch for it, located

here

.

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.