Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SECURITY.NNOV: Outlook Express address book spoofing

From: "Matt Priestley" <mpriest () microsoft com>
Date: Mon, 11 Jun 2001 11:33:28 -0700
Mitigating the problem somewhat is the fact that if G1 & G2 already
correspond (which seems plausible given the attack scenario) there would
already be an entry for G2 in the contact list. In that case doesn't OE
pop up an arbitration dialog? That ought to give the user a clue that
something is amiss. They will have to choose "which" address to send to.

Personally at that point I would ask myself how I managed to get two
entries and check them a little more closely in order to select one.

-matthew Priestley
mpriest () microsoft com

Phone: 425-703-9478
Fax: 425-936-7329


-----Original Message-----
From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
Sent: Tuesday, June 05, 2001 4:09 AM
To: bugtraq () securityfocus com
Subject: SECURITY.NNOV: Outlook Express address book spoofing

Hello bugtraq,

sorry if this is already known - the bug is trivial.

Issue                   :  Outlook  Express  address  book allows
                           messages to be intercepted by 3rd party
Date Released           :  16 March 2001
Vendor Notified         :  16 March 2001
Author                  :  3APA3A <3APA3A () security nnov ru>
Affected                :  Outlook Exress 5.5SP1 and prior
Discovered              :  18 December 2000 by 3APA3A
Remotely Exploitable    :  Yes
Vendor URL              :  http://www.microsoft.com
SECURITY.NNOV advisories:  http://www.security.nnov.ru/advisories
Previous By Date Next
Previous By Thread Next

Current thread: