Outlook Express inadvertent script execution

Nothing is sacred : Text e-mails process scripts

The only way to secure a computer from hackers is not connect it to the Internet. Since none of us have that luxury, it's important to keep up to date on current security vulnerabilities. For Microsoft Outlook Express users, that means realizing that maybe there is no way to secure it from malicious attacks.

A RECENT POSTING on Security Focus revealed a new security hole that allows plain text e-mail messages to run scripts on a victim's computer without any user approval. BugNet's testing partner KeyLabs was able to reproduce this bug on all current releases of Outlook Express, including version 6.0, which has active scripting off by default. Microsoft Outlook is not affected by this vulnerability. However, Outlook Express 5.0, 5.5, and 6.0 do demonstrate the susceptibility.

Typically, scripting vulnerabilities affect HTML- and Rich Text Format (RTF)-enabled e-mail messages. The interesting thing about this security bug is that it allows a text-only message to automatically execute a script when the message is opened or previewed. The implication of this is that nothing is safe. The size of the executable script allowed in plain text messages is limited, but may consist of two small lines. The first line of script can be approximately 30 characters between the brackets, and the second one can have approximately 15 characters between the brackets. If the code surpasses the limitation on length, the message will be what it purports to be, plain text. In addition, Security Focus reports that other tags likeappear to escape this vulnerability, and are exhibited in the message as plain text as well.

According to KeyLab's tests, changing the Internet security level in Internet Explorer prevents any script in a plain text e-mail message from executing when viewed with Outlook Express. In Internet Explorer on the Tools menu, select Internet Options.... Then click the Security tab and raise the sliding bar all the way up to High. This will protect you from the hidden scripts in plain text messages.

BugNet also recommends disabling the preview pane, which will load messages automatically into the preview window when they are clicked. Also, be vigilant in scrutinizing messages as they come into your Inbox, being careful to delete those from unknown people.

News source: msnbc.com

Report a problem with article
Previous Story

Most Software Stinks!

Next Story

PC Company in NZ ships first XP box to All Black

-1 Comments - Add comment