Outlook Express inadvertent script execution
Posted by Kheldar on 24 September 2001 - 11:09 · no comments & 118 views
About the Author
Full name: Unknown
Forum name: Kheldar
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: Kheldar
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
The only way to secure a computer from hackers is not connect it to the Internet. Since none of us have that luxury, it’s important to keep up to date on current security vulnerabilities. For Microsoft Outlook Express users, that means realizing that maybe there is no way to secure it from malicious attacks.
A RECENT POSTING on Security Focus revealed a new security hole that allows plain text e-mail messages to run scripts on a victim’s computer without any user approval. BugNet’s testing partner KeyLabs was able to reproduce this bug on all current releases of Outlook Express, including version 6.0, which has active scripting off by default. Microsoft Outlook is not affected by this vulnerability. However, Outlook Express 5.0, 5.5, and 6.0 do demonstrate the susceptibility.
Typically, scripting vulnerabilities affect HTML- and Rich Text Format (RTF)-enabled e-mail messages. The interesting thing about this security bug is that it allows a text-only message to automatically execute a script when the message is opened or previewed. The implication of this is that nothing is safe. The size of the executable script allowed in plain text messages is limited, but may consist of two small lines. The first line of script can be approximately 30 characters between the brackets, and the second one can have approximately 15 characters between the brackets. If the code surpasses the limitation on length, the message will be what it purports to be, plain text. In addition, Security Focus reports that other tags likeappear to escape this vulnerability, and are exhibited in the message as plain text as well.
According to KeyLab’s tests, changing the Internet security level in Internet Explorer prevents any script in a plain text e-mail message from executing when viewed with Outlook Express. In Internet Explorer on the Tools menu, select Internet Options…. Then click the Security tab and raise the sliding bar all the way up to High. This will protect you from the hidden scripts in plain text messages.
BugNet also recommends disabling the preview pane, which will load messages automatically into the preview window when they are clicked. Also, be vigilant in scrutinizing messages as they come into your Inbox, being careful to delete those from unknown people.
In the UK and several places in the US, copies of Microsoft Flight simulator where taken of the shelves. The theory being that the terrorists could have used the program to train for their mission. Also, the new version of the game has been delayed slightly as the World Trade Centers were being removed. Many other games were pulled such as Spider Man. Also, many movies were pulled.
In other MS news, the case between MS and the US Justice Department has been delayed a week. This will further hinder any attempt to stop the shipping of Windows XP.
The president of Akamai was killed in one of the planes that hit the WTC. Akamai is involved with distribution of images and files all over the web. They are the Connexion of images and more.
Yet, I do not think these will be the real effects on the industry. I believe that consumer confidence is going to drop to the bottom. The market for computer games, new processors, and better operating systems will not exist. This will create a massive slowdown as to the future of computer development. This will mean all our news days in a few months will look like the last week’s stories.
As citizens of the world, we must continue to purchase as we have previously. This is the only way that we will salvage the tech industry and many others. Current war does not have a massive effect on the productivity of companies as it did in the past. I do not expect war to have a positive or negative effect on the economy.