[Am-info] New bug found in Outlook, IE

Fred A. Miller fmiller@lightlink.com
Thu, 11 Jul 2002 23:22:17 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New bug found in Outlook, IE
=20
By Robert Lemos=20
Special to ZDNet News
July 11, 2002, 4:15 AM PT

A Danish security researcher warned users of Microsoft's Internet Explore=
r,
Outlook and Outlook Express applications that a recently discovered
software flaw could leave their system open to malicious code carried on
Web pages or in e-mails.=20
In an advisory released Wednesday, Thor Larholm, a security researcher an=
d
partner at risk-assessment company PivX Solutions, warned that HTML objec=
ts
embedded in Web pages and e-mails could carry code that allows an attacke=
r
to check out victims' cookie files, read their documents, and execute
programs on their computer.=20

The bug, known as a cross-domain scripting flaw, was discovered on June 2=
5,
and information about it has been posted on several security lists since
then. Larholm also informed Microsoft of the bug the day it was discovere=
d.

=20

"Since this is possibly very publicly known...I have decided to release
this advisory after only two weeks time," Larholm said in the warning.=20

Microsoft thought Larholm had overstated the seriousness of the flaw.
"Thor's advisory doesn't make it clear that there are significant
mitigating factors associated with the issue," said a company
representative, adding that people who limited their browsing to trusted
sites would be safe as would people who had installed one of the software
giant's patches for its e-mail clients.=20

The company chose to lambaste Larholm for disclosing the flaw too quickly=
=2E
"It's a shame that Thor chose to publicize this issue before the patch
could be completed, because by doing so, he's significantly increased the
risk to customers," the representative said.=20

The amount of information disclosed about a flaw, and how fast consultant=
s
make the disclosure, has been a point of contention between software make=
rs
and the bug finders based at security companies. Recent research suggests=
,
however, that the corporate customers who suffer from software maker's
slipups actually want flaws disclosed more quickly.=20

Hackers and security experts frequently find software flaws in Microsoft'=
s
Internet Explorer. In June, Microsoft released a patch for an IE flaw tha=
t
allowed attackers to run code on a victim's computer by exploiting links =
to
an old pre-Web protocol known as Gopher. The month before that, the compa=
ny
released a patch for IE that fixed six different flaws.=20

To repair the current problem, Larholm recommended that users disable
ActiveX in the security settings for Internet Explorer, or run IE and
Outlook in "Restricted" mode, at least until Microsoft releases a patch.=20

Microsoft said a patch will be available soon.

- --=20
"...Linux, MS-DOS, and Windows 2000 (also known as the Good, the Bad, and
the Ugly)."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0uS2kACgkQeNJ3p8sZ/ut2mACfSbhR6SkVZnIEdoayww/btIQP
D7EAoIdCXhdllRFKIygfVxpdEQ4hl1eU
=3DvdHK
-----END PGP SIGNATURE-----