Feeds

MS Word runs malicious e-mail scripts

Patch on

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

If you've chosen MS Word for your e-mail editor in Outlook 2000 or 2002, you'll need to patch a flaw which enables script execution when a malicious memo is replied to or forwarded.

Outlook blocks scripts when an HTML e-mail is viewed; but when Word is the editor, replying or forwarding calls it in an unprotected mode, and it then allows the script to run. Essentially, Word behaves as if a new memo were being created, a situation where security wouldn't be an issue. The actual flaw, then, is a failure to distinguish between a user's own e-mail and his modifications to someone else's.

The consequences of exploitation here are running arbitrary code on the local machine with the user's level of privilege.

As usual, MS provides an extremely vague description of the exploit, calling it only a "specially malformed HTML e-mail," so we can't tell you anything about the likelihood of exploiting other versions of Outlook with this little oversight. We also can't verify that the patches work as advertised. But none of that is necessary, now that Trustworthy Computing is in force.

The MS bulletin, along with links to the patches, is posted here. ®

Beginner's guide to SSL certificates

More from The Register

next story
ONE MILLION people already running Windows 10
A third of them are doing it in VMs, but early feedback focuses on frippery
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Ploppr: The #VultureTRENDING App of the Now
This organic crowd sourced viro- social fertiliser just got REAL
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.