Microsoft warns of new Outlook bug
The software giant warns that a bug in its Outlook and Outlook Express software could potentially render useless its "safe computing" advice to help protect PCs against virus attacks.
Microsoft and other software sellers and security organizations have long warned people that they should protect themselves against email viruses by not opening attachments they are not expecting.
But under a potential exploit Microsoft described today, email recipients wouldn't even have to open booby-trapped attachments or the email message. Simply receiving the message from the email server would be enough to trigger the damage.
A component distributed with Microsoft's Internet Explorer browser and common to both the Outlook email software and Outlook Express productivity software suite is vulnerable to a buffer overflow exploit.
Said to be the most common software bug of the past 10 years, the buffer overflow problem lies in the way fields respond to long strings of data.
In this instance, the date field of Outlook email is vulnerable to a buffer overflow attack, in which a bogus and extremely long date can cause the application to crash and send excess characters--potentially malicious code--into memory, where they can be executed.
Microsoft said it is working on patches that will protect against the vulnerability, with patches available for some versions of IE and the Windows operating system but not for others.
Microsoft said anyone who has installed IE 5.01 Service Pack 1 or IE 5.5 is already protected against the exploit, unless the computer runs Windows 2000. Windows 2000 users will need to install Windows 2000 Service Pack 1. Microsoft said patches for IE 4.01 Service Pack 2 and IE 5.01 are in progress.
Another patch is under construction for computers running Outlook but not Outlook Express.
Microsoft credited Buenos Aires-based security firm Underground Security Systems Research (USSR) with discovering the bug. The vulnerability was also the subject of an alert on the Bugtraq security mailing list.
The buffer overflow bug comes in the wake of a lengthening string of security embarrassments for Microsoft. Fresh from patching a handful of bugs affecting its Excel, PowerPoint and Access software, the company is still in the process of repairing several vulnerabilities in its Internet Explorer browser and other applications.
These include a bug in IE that lets an attacker read files on a victim's computer and a bug in Excel that lets an attacker take control of a victim's computer while bypassing standard warnings.