RealTime IT News

Microsoft Warns of Outlook, Outlook Express Flaw

Sometimes it seems a week can't go by without another security flaw turning up in Microsoft Corp.'s Outlook and Outlook Express (OE) e-mail clients. This week is no exception.

The Redmond, Wash.-based software maker Friday warned of a flawed OE component for processing vCards, or virtual business cards. The component contains a buffer overrun caused by the way it handles the birthday field in the VCF (or vCard) file format when importing from either the file system or from an e-mail attachment. The buffer overrun could allow an attacker to gain control of a victim's machine.

The exploit works by adding certain malicious code to a vCard and then sending it to another user. The malicious code would execute once the victim opened the vCard or added it to his or her contact list.

"The attacker could cause the mail client to run code of her choice on the user's machine," Microsoft warned. "Such code could take any desired action, limited only by the permissions of the recipient on the machine."

However, there is no way to make a vCard open automatically. But that would not necessarily be an impediment to an attacker, said Ollie Whitehouse, managing security architect for security consulting firm @Stake Inc. and discoverer of the vCard flaw.

"Someone does have to double-click upon the vCard attachment," he said. "The danger here is that vCards are, in the eyes of the user, treated as a benign attachment. They are not considered to hold any executable code so there is automatically this implied trust between the end user and whoever is sending this attachment through that it is simply only a digital business card."

The flawed component ships as a part of OE, which is a part of Internet Explorer. The flaw affects Outlook as well as OE because Outlook draws on several OE components, including the flawed one.

Microsoft has released a patch -- which ships as an upgrade to IE -- for the flaw.