Sometimes it seems a week can’t go by without another security flaw turning
up in Microsoft Corp.’s Outlook and Outlook Express (OE) e-mail clients.
This week is no exception.
The Redmond, Wash.-based software maker Friday warned of a flawed OE
component for processing vCards, or virtual business cards. The component
contains a buffer overrun caused by the way it handles the birthday field in
the VCF (or vCard) file format when importing from either the file system or
from an e-mail attachment. The buffer overrun could allow an attacker to
gain control of a victim’s machine.
The exploit works by adding certain malicious code to a vCard and then
sending it to another user. The malicious code would execute once the victim
opened the vCard or added it to his or her contact list.
“The attacker could cause the mail client to run code of her choice on the
user’s machine,” Microsoft warned. “Such code could take any desired action,
limited only by the permissions of the recipient on the machine.”
However, there is no way to make a vCard open automatically. But that would
not necessarily be an impediment to an attacker, said Ollie Whitehouse,
managing security architect for security consulting firm @Stake Inc. and
discoverer of the vCard flaw.
“Someone does have to double-click upon the vCard attachment,” he said. “The
danger here is that vCards are, in the eyes of the user, treated as a benign
attachment. They are not considered to hold any executable code so there is
automatically this implied trust between the end user and whoever is sending
this attachment through that it is simply only a digital business card.”
The flawed component ships as a part of OE, which is a part of Internet
Explorer. The flaw affects Outlook as well as OE because Outlook draws on
several OE components, including the flawed one.
Microsoft has released a patch — which ships as an upgrade to IE — for the flaw.