RealTime IT News

New Security Holes in Outlook

Online privacy and security guru Richard Smith, who operates the Computer Bytes Man site, has issued a warning about potential security problems in Microsoft Outlook 2002. One of the most serious involves Windows Media Player (WMP).

In an e-mail to SecurityFocus Corp.'s Bugtraq database administrators, Smith said that WMP "reintroduces the ability to automatically execute JavaScript code from an HTML e-mail message in Outlook 2002."

Bugtraq is an interactive list of vulnerabilities developed to help the security community identify and fix them.

Smith is the author of a recent detailed report on what he called "serious privacy problems" with Windows Media Player for Windows XP that lets Microsoft track what DVD movies consumers are watching. Microsoft has said its DVD privacy policy has been amended.

The other Outlook 2002 problems, according to Smith, are that in an HTML e-mail message, JavaScript code can still be executed in spite of the fact that scripting is turned off by default in Outlook. The trick is to embed the JavaScript code in either an "about:" or "javascript:" URL that is used as an HTML tag.

A third problem is that cookies can be set and read in HTML e-mail messages in spite of the fact that the default security settings in Outlook 2002 claim that cookies are turned off. This is a privacy leak problem and not a security hole, he said. The fourth problem involves gratuitous warnings about links sent in e-mail messages.

Ironically, Microsoft is making security in its products a top priority -- in January, Chairman Bill Gates emphasized that to employees in a memo. Last month the company turned to an outside security expert to help implement that goal.

Smith said in his message that JavaScript is disabled by default in Outlook 2002, because it can facilitate the creation of worms and other malicious code which (can be) carried by HTML e-mail messages. Using a number of simple tricks, "WMP can be used to bypass the Outlook security settings and still automatically execute JavaScript, Java, and ActiveX code in an HTML e-mail message."

"This problem is more of an example of poor security policies in Outlook and WMP and is not really a security hole in the classic sense," he wrote, adding that Outlook Express and earlier versions of Outlook likely have the same security problem even with all security protections set to the maximum. There was no immediate response from Microsoft.