Microsoft warns of IE, Outlook flaws
The company issues security bulletins warning of new security glitches in some of its Internet software that could expose sensitive data.
The Redmond, Wash., company said a glitch could allow hackers to pilfer information from computers running versions of its Internet Explorer Web browser. The Internet Explorer security hole affects versions 5.5 and 6 for Windows. IE 5.01 is not affected by the glitch.
A second problem striking Microsoft's Outlook 2002 e-mail program could let a hacker deny user access to the program. The hacker could do this because a "vulnerability exists in Outlook 2002 in its processing of e-mail header information," according to a Microsoft security bulletin.
Outlook 2002, which is included with Office XP, is affected by the flaw, but Outlook 98, 2000 or Outlook Express are not. Microsoft did not say whether Outlook 11, which is in the hands of about 12,000 beta testers, is vulnerable to the exploit.
The company rated the security glitches as "moderate" threats but recommended all consumers apply patches to prevent hacker attacks.
The new IE glitch comes less than two weeks after the discovery of a more serious security hole that exposed millions of Web servers and PCs to potential hacking. That flaw likely hampered the more than 4 million Web sites using Microsoft's Internet Information Server software.
The new security hole exists because "the security checks that Internet Explorer carries out when particular object caching techniques are used in Web pages are incomplete," according to a Microsoft bulletin. "This could have the effect of allowing a Web site in one domain to access information in another, including the user's local system."
Using the exploit, a hacker could create a Web site that stores information in the browser's cache that would take the Internet user to a different Web address or domain. The hacker also could deliver this "Web object" in Hypertext Markup Language (HTML)-formatted e-mail either opened by the user or simply displayed in Outlook Preview. Outlook Express 6 and Outlook 2002 are not vulnerable to this exploit when used in their default configurations.
The hacker would be able to read any files on the computer or launch programs for which he or she knew the exact location on the compromised system. The hacker would not be able to place programs on the invaded computer or change or delete files, according to Microsoft.
Microsoft has posted a patch for the Internet Explorer flaw. The patch, which is cumulative for other security bugs, can be applied to Internet Explorer 5.5 with Service Pack 2 installed and to IE 6.
In October, GreyMagic Software reported eight security vulnerabilities it deemed "critical" because of a flaw in how Internet Explorer caches Web objects. Wednesday's patch addresses in part the vulnerabilities uncovered by GreyMagic.
More than moderate?
But some security experts took issue with Microsoft rating the Web objects bug as only a moderate threat. In a posting on the Bugtraq forum, Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions lambasted Microsoft's moderate rating.
"Microsoft has given this vulnerability a maximum severity rating of 'moderate,'" he wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft."
In November, Microsoft made changes to its security-alert system, including the addition of a fourth rating. The new rating system added "important" between "critical" and "moderate." The fourth designation is "low." So under the new mechanism, a moderate alert is much less severe than it was a month ago.
In the Outlook flaw, a hacker could send a "specially malformed e-mail" that would cause the "Outlook client to fail under certain circumstances," the bulletin stated. "The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server."
The Outlook client would remain usable until the hacker e-mail was removed from the server, either by an administrator or by the user accessing the account with another e-mail client. The exploit affects e-mail delivered using POP, IMAP or WebDAV protocols.
Microsoft has provided a patch for this exploit, which requires that Office XP Service Pack 2 be installed first.
Wednesday's alerts bring the total to nearly 70 for the year, despite Microsoft's new emphasis on making software more secure. In January, Microsoft Chairman Bill Gates called on the company to make security a top priority, even more than adding new features to products. But the software giant has struggled to stomp out the bugs, some of which are recently discovered but have been around for years.
Besides the aforementioned November alerts, in mid-October, the company issued three security bulletins, some with multiple exploits. Earlier in the month, Microsoft stomped out an Outlook Express 6 bug that could have allowed a hacker to take complete control over an exposed computer.