Bugtraq mailing list archives
RE: SECURITY.NNOV: Outlook Express address book spoofing
From: "Matt Priestley" <mpriest () microsoft com>
Date: Mon, 11 Jun 2001 11:33:28 -0700
Mitigating the problem somewhat is the fact that if G1 & G2 already correspond (which seems plausible given the attack scenario) there would already be an entry for G2 in the contact list. In that case doesn't OE pop up an arbitration dialog? That ought to give the user a clue that something is amiss. They will have to choose "which" address to send to. Personally at that point I would ask myself how I managed to get two entries and check them a little more closely in order to select one. -matthew Priestley mpriest () microsoft com Phone: 425-703-9478 Fax: 425-936-7329 -----Original Message----- From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] Sent: Tuesday, June 05, 2001 4:09 AM To: bugtraq () securityfocus com Subject: SECURITY.NNOV: Outlook Express address book spoofing Hello bugtraq, sorry if this is already known - the bug is trivial. Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author : 3APA3A <3APA3A () security nnov ru> Affected : Outlook Exress 5.5SP1 and prior Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : http://www.microsoft.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)