New Security Holes in Outlook

Online privacy and security guru Richard Smith, who operates the Computer Bytes Man site, has
issued a warning about potential security problems in Microsoft Outlook 2002.
One of the most serious involves Windows Media Player (WMP).


In an e-mail to SecurityFocus Corp.’s Bugtraq
database administrators, Smith said that WMP “reintroduces the ability to
automatically execute JavaScript code from an HTML e-mail message in Outlook
2002.”


Bugtraq is an interactive list of vulnerabilities developed to help the
security community identify and fix them.


Smith is the author of a recent detailed report on what he called
“serious privacy problems”
with Windows Media Player for Windows XP that
lets Microsoft track what DVD movies consumers are watching. Microsoft has
said its DVD privacy policy has been amended.


The other Outlook 2002 problems, according to Smith, are that in an HTML
e-mail message, JavaScript code can still be executed in spite of the fact
that scripting is turned off by default in Outlook. The trick is to embed the
JavaScript code in either an “about:” or “javascript:” URL that is used as an
HTML tag.


A third problem is that cookies can be set and read in HTML e-mail messages
in spite of the fact that the default security settings in Outlook 2002 claim
that cookies are turned off. This is a privacy leak problem and not a
security hole, he said. The fourth problem involves gratuitous warnings about
links sent in e-mail messages.


Ironically, Microsoft is making security in its products
a top priority — in January, Chairman Bill Gates emphasized that to
employees in a memo. Last month the company
turned to an outside security expert
to help implement that goal.


Smith said in his message that JavaScript is disabled by default in Outlook
2002, because it can facilitate the creation of worms and other malicious
code which (can be) carried by HTML e-mail messages. Using a number of simple
tricks, “WMP can be used to bypass the Outlook security settings and still
automatically execute JavaScript, Java, and ActiveX code in an HTML
e-mail message.”


“This problem is more of an example of poor security policies in Outlook and
WMP and is not really a security hole in the classic sense,” he wrote, adding
that Outlook Express and earlier versions of Outlook likely have the same
security problem even with all security
protections set to the maximum. There was no immediate response from
Microsoft.

News Around the Web