Feeds

MS Word runs malicious e-mail scripts

Patch on

  • alert
  • submit to reddit

Intelligent flash storage arrays

If you've chosen MS Word for your e-mail editor in Outlook 2000 or 2002, you'll need to patch a flaw which enables script execution when a malicious memo is replied to or forwarded.

Outlook blocks scripts when an HTML e-mail is viewed; but when Word is the editor, replying or forwarding calls it in an unprotected mode, and it then allows the script to run. Essentially, Word behaves as if a new memo were being created, a situation where security wouldn't be an issue. The actual flaw, then, is a failure to distinguish between a user's own e-mail and his modifications to someone else's.

The consequences of exploitation here are running arbitrary code on the local machine with the user's level of privilege.

As usual, MS provides an extremely vague description of the exploit, calling it only a "specially malformed HTML e-mail," so we can't tell you anything about the likelihood of exploiting other versions of Outlook with this little oversight. We also can't verify that the patches work as advertised. But none of that is necessary, now that Trustworthy Computing is in force.

The MS bulletin, along with links to the patches, is posted here. ®

Remote control for virtualized desktops

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.