Outlook flaw riskier than thought

Microsoft has raised the severity rating of an Outlook 2002 security hole to "critical," the highest level, after its initial analysis was challenged.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

March 10, 2004 3:01 p.m. PT

2 min read

Microsoft has raised the severity rating of an Outlook flaw to "critical," the highest level, after its initial analysis was challenged by the researcher who found the security hole.

The vulnerability in Outlook 2002, first publicized on Tuesday, when Microsoft released a patch, could allow an attacker to use a malicious Web site to cause an affected PC to download and execute a program.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

When Microsoft released its fix, it said it believed that the attack could only be accomplished if a PC user had the "Outlook Today" folder as the default home page in Outlook 2002. Now, after being alerted by Jouko Pynonnen, the Finnish security researcher who found the flaw, it says the potential for attack is greater.

"After we released the bulletin, we were made aware that (the 'Outlook Today' restriction) could be gotten around by the attacker," said Stephen Toulouse, the program manager for Microsoft's Security Response Center. Toulouse stressed that the patch provided to customers on Tuesday prevents any attack, even though the hole is larger than first thought.

It's the third time in the past 18 months that Microsoft has upgraded the severity of a security flaw. In December 2002, it upped two "moderate" vulnerabilities to "critical" status, after the researchers who found the holes cast doubt on Microsoft's initial classification.

Pynonnen said Microsoft had not notified him when the patch was planned for release, nor had the company told him how serious it considered the vulnerability.

"I didn't know the issue (was) going to be published this month," he said. Pynonnen added that if he had known, he would have done more research on the mitigating factors Microsoft had assumed.

Pynonnen warned on Wednesday that the vulnerability could be used by an attack to spread a virus through e-mail messages sent to Outlook 2002 users.

Microsoft took more than seven months to patch the vulnerability, a delay that highlights the software giant's focus on quality over speed in its fixes. Some critics have suggested Microsoft should produce patches faster, but Microsoft's Toulouse said finding the full extent of flaws and eliminating patch problems are company focal points.

"We always try to figure out how broad the impact (of the flaw) will be and try to cover all the possibilities in the patch," he said.

The fix for the security hole can be downloaded through Microsoft's Download Center or by applying Service Pack 3 for Office XP, which was released on Tuesday.