X

Happy birthday? Security flaw found in Outlook's VCards

Microsoft acknowledges a vulnerability in its e-mail programs' handling of electronic business cards; one security firm ties the bug to the data field for birth dates.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Microsoft acknowledged Friday that a bug in the way its popular e-mail programs handle birthday data in electronic business cards could leave people's PCs gift-wrapped for malicious viruses and Trojan horses.

To exploit the vulnerability, a malicious attacker would have to properly code a piece of data, place the data in the birthday field of an electronic business card--or VCard--and send the VCard in an e-mail to the victim.

Once the VCard is opened by Outlook 2000 or 97, or Outlook Express 5.01 or 5.5, the malicious code will, at least, crash the Outlook program, but could also run a program that does just about anything the attacker wants, according to a Microsoft security advisory.

"Such code could take any desired action, limited only by the permissions of the recipient on the machine," it stated.

The bug, a so-called "buffer overrun" discovered by security firm @Stake, gives e-mail recipients yet another reason to distrust attachments.

Scott Culp, a Microsoft security program manager, said the company worked closely with @Stake for more than two months to resolve the issue. Although @Stake's advisory said the error affected the birthday field in VCards, Culp would not confirm the specifics.

"My goal in writing the bulletin is to tell the user what the vulnerability is, tell users how it can affect them, and also a lot about the risks," he said. "What we are not interested in is helping the bad guys create a malicious program."

Ollie Whitehouse, the researcher at Cambridge, Mass.-based @Stake who found the flaw, could not be reached for comment, but @Stake's advisory did warn that the bug could easily become the basis for a virus or Trojan horses.

"These problems are often used as the bases for mail worms," stated the @Stake advisory.

The VCard cannot be made to open automatically. So simply opening an e-mail will not trigger any malicious code in an attached VCard. The only way a person can set off a VCard trap is by double-clicking on the e-mail attachment or dragging the VCard into the Contacts folder.

Ironically, initial reports of the bug coincided with the resurgence of a hoax mentioning a virus supposedly discovered by Microsoft. According to the hoax, the virus hides in an e-mail with the subject line "A Virtual Card For You." Microsoft's Culp confirmed it was indeed a hoax.

Culp said the VCard vulnerability does not affect Outlook on the Apple Macintosh.

Microsoft recommends that customers using Outlook or Outlook Express download the patch noted in the advisory. The fix will also be included in Service Pack 2 for Internet Explorer 5.01 and 5.5 as well as Windows 2000 SP2.