As part of its monthly patch-release program, Microsoft released a few fixes on Tuesday for products ranging from Outlook 2002 to MSN Messenger. None of the vulnerabilities, according to the software giant, are critical. But the finder of one flaw disagrees.
The most severe flaw, the one in question, is the Outlook 2002 flaw, which is rated as "important" on Microsoft's scale. It could allow Internet Explorer to execute code on affected machines. In order to exploit the vulnerability, attackers would need to create a Web site and then lure people to view it. Attackers could also create an HTML e-mail to exploit the flaw.
The flaw is related to the way mailto URLs are handled.
"Users are only at risk from this vulnerability when the 'Outlook Today' homepage is their default folder homepage," Microsoft said in an advisory. "This is the default configuration when an Outlook profile is created without any e-mail accounts."
The researcher who found the vulnerability, Jouko PynnÖnen of Finland, disagrees. "This is a false assumption, as an attacker can still carry out the attack, regardless of the default view," he said in an e-mail interview with SearchSecurity.com. "I think [Microsoft] might change their rating after considering this. I have notified them about it. I consider this a critical vulnerability."
If Outlook Today isn't the homepage, exploiting the vulnerability would require two mailto URLs, PynnÖnen said. The first would start Outlook and cause it to show the page. The second would inject the exploit code.
A "moderate" vulnerability exists in Windows Media Services, which leaves affected systems open to denial-of-service attacks. It only affects Windows Media Services 4.1, which is included with Windows 2000 Server.
Specifically, the flaw lies in how components of Media Services handle TCP/IP connections. Remote attackers can exploit it by sending special TCP/IP packets to the services' ports. As a result, the services will stop responding to requests. The services return when restarted.
There is also a "moderate" vulnerability in MSN Messenger, Microsoft's instant messaging software. The flaw lies in how MSN Messenger handles file requests. Attackers can exploit the vulnerability by sending a specially crafted request to vulnerable systems. If exploited, the flaw would allow attackers to view a file on the target system -- but only if they know the location of the file.
Such an attack may be limited, because the attacker would need to know the target's sign-on name. Also, if users block messages from anonymous users, an attack would work only if the attackers' accounts are specifically allowed by the targeted systems.
The vulnerability exists in MSN Messenger 6 and 6.1