Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

yet another security threat in MS OE 5

From: deepquest () NETSCAPE NET (deepquest () NETSCAPE NET)
Date: Sun, 14 Nov 1999 00:56:54 -0000

MS flags OE 5 security threat
from http://macweek.zdnet.com/1999/11/07/outlook.html

              Microsoft Corp. has revealed a security issue with the Mac version of Outlook Express 5.0 that may leave 
users of the free Internet e-mail client open to invasions by potentially destructive Trojan horses.

              According to an e-mail sent out Friday evening by Waggener Edstrom, Microsoft's PR firm, "Microsoft is 
taking this issue very seriously and is working diligently to provide a solution to this issue that will enable our 
customers to continue having a safe and easy computing experience.

              "In the meantime, OE 5 users should ensure they do NOT open any file in their Downloads Folder without 
knowing where the file came from," the e-mail warns.

              According to the document, a security gap in Open Express 5.0 "makes it possible for a malicious sender 
to send [a multilingual HTML] message to an OE 5 user that will automatically download a file to the user's default 
Download folder without the OE 5 user's knowledge. (The location of the default Download folder is set in IE or 
Internet Config.)

              "The downloaded file can be anything, including an executable. This scenario is similar to malicious 
users sending out messages containing harmful attachments in that the user has to explicitly take action (opening the 
attachment, or in this case, opening the downloaded file) in order for any damage to occur - the file is NOT 
automatically opened or executed on the user's machine.

              "Since the user is not aware that the file has been downloaded, the user may encounter the file later and 
open/launch it. Since the file can be an executable, launching it could cause damage to the user's machine.
              Users should NEVER open any file in the Downloads Folder unless they know where the file came from.

              "Again, we are taking this issue very seriously and are working on a solution. In the meantime, OE 5 
users should ensure they do NOT open any file in their Downloads Folder without knowing where the file came from," the 
message concludes. 

              Microsoft was not immediately available for additional comment.
Previous By Date Next
Previous By Thread Next

Current thread: