Outlook 2003 Bypass Flaw Reported

Security researchers have discovered a vulnerability in the Microsoft Outlook 2003 software that could allow malicious hackers to perform illegal actions through e-mails.

According to an alert
from Secunia, the flaw could let attackers sneak past the security settings in the Outlook 2003 e-mail program and attempt to load harmful code to vulnerable PCs.

Outlook 2003, the latest iteration of Microsoft’s desktop software, is designed to protect the user by opening mails in a restricted security zone to prevent the use of active scripting or download of harmful files.

However, according to the Secunia alert, it is possible to bypass the security settings by embedding an OLE Object with reference to a Windows media file in a Rich Text Format (RTF) message.

“This can be exploited to start a download sequence of arbitrary files, which in turn causes Internet Explorer to prompt the user whether to download the file,” according to the alert, which carries a “moderately critical” rating.

Combined with another flaw that deals with “Predictable File Location Weakness,” Secunia said it was possible to launch the malicious file without any warning.

Affected software include Outlook 2003, Office 2003 Student and Teacher Edition, Office 2003 Standard Edition, Office 2003 Small Business Edition and Office 2003 Professional Edition.

The company recommends that users filter HTML and RTF messages until a
fix is issued by the software giant.