Article

Researcher, Microsoft spar over flaw

Edward Hurley, News Writer

As part of its monthly patch-release program, Microsoft released a few fixes on Tuesday for products ranging from Outlook 2002 to MSN Messenger. None of the vulnerabilities, according to the software giant, are critical. But the finder of one flaw disagrees.

The most severe flaw, the one in question, is the Outlook 2002 flaw, which is rated as "important" on Microsoft's scale. It could allow Internet Explorer to execute code on affected machines. In order to exploit the vulnerability, attackers would need to create a Web site and then lure people to view it. Attackers could also create an HTML e-mail to exploit the flaw.

    Requires Free Membership to View

For more information

For more information about patch management, see this archived Featured Topic.

Or see this tip on patch management tools.

See below for links to the Microsoft advisories (including information about patches):

Outlook
(MS04-009)

Windows Media Services
(MS04-008)

MSN Messenger
(MS04-010)

In either case, an attacker who successfully exploited the vulnerability could access user files or run arbitrary code on the target systems. The flaw only affects Microsoft Office XP Service Pack 2 and Microsoft Outlook 2002 Service Pack 2.

The flaw is related to the way mailto URLs are handled.

"Users are only at risk from this vulnerability when the 'Outlook Today' homepage is their default folder homepage," Microsoft said in an advisory. "This is the default configuration when an Outlook profile is created without any e-mail accounts."

The researcher who found the vulnerability, Jouko PynnÖnen of Finland, disagrees. "This is a false assumption, as an attacker can still carry out the attack, regardless of the default view," he said in an e-mail interview with SearchSecurity.com. "I think [Microsoft] might change their rating after considering this. I have notified them about it. I consider this a critical vulnerability."

If Outlook Today isn't the homepage, exploiting the vulnerability would require two mailto URLs, PynnÖnen said. The first would start Outlook and cause it to show the page. The second would inject the exploit code.

A "moderate" vulnerability exists in Windows Media Services, which leaves affected systems open to denial-of-service attacks. It only affects Windows Media Services 4.1, which is included with Windows 2000 Server.

Specifically, the flaw lies in how components of Media Services handle TCP/IP connections. Remote attackers can exploit it by sending special TCP/IP packets to the services' ports. As a result, the services will stop responding to requests. The services return when restarted.

There is also a "moderate" vulnerability in MSN Messenger, Microsoft's instant messaging software. The flaw lies in how MSN Messenger handles file requests. Attackers can exploit the vulnerability by sending a specially crafted request to vulnerable systems. If exploited, the flaw would allow attackers to view a file on the target system -- but only if they know the location of the file.

Such an attack may be limited, because the attacker would need to know the target's sign-on name. Also, if users block messages from anonymous users, an attack would work only if the attackers' accounts are specifically allowed by the targeted systems.

The vulnerability exists in MSN Messenger 6 and 6.1


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: