[ISN] Update: Microsoft rethinks latest security patch

From: InfoSec News (isn@private)
Date: Wed Mar 10 2004 - 23:40:12 PST

  • Next message: InfoSec News: "Re: [ISN] Internet banking 'no longer safe'"

    http://www.computerworld.com/securitytopics/security/story/0,10801,90992,00.html
    
    By Paul Roberts
    MARCH 10, 2004
    IDG NEWS SERVICE
    
    One day after releasing a trio of security patches, Microsoft Corp. is 
    upgrading the seriousness of one of those fixes to "critical." 
    The software update attached to security bulletin MS04-009 was 
    initially described as an "important" patch (see story). The change 
    follows "continued evaluation" by Microsoft's Security Response 
    Center, a company spokesman wrote in an e-mail today. 
    
    Microsoft defines "critical" bulletins as those concerning software 
    vulnerabilities that, if exploited, "could allow the propagation of an 
    Internet worm without user action." "Important" bulletins concern 
    vulnerabilities that, if exploited, "could result in compromise of the 
    confidentiality, integrity, or availability of users' data, or of the 
    integrity or availability of processing resources," according to 
    information on the company's Web site. 
    
    The change in severity for MS04-009 came after Microsoft learned of a 
    "new attack scenario discovered after the bulletin's original release 
    on March 9," the spokesman said in the e-mail. 
    
    MS04-009 fixes a problem with the way the Outlook e-mail software 
    treats URLs that use the "mailto" tag, which allows Web page authors 
    to insert links on Web pages that launch Outlook or other e-mail 
    clients. 
    
    A problem with the way Outlook interprets mailto URLs could allow an 
    attacker to use a specially formatted mailto URL to gain access to 
    files on an affected system or insert and run malicious computer code. 
    It is rated "important," Microsoft said. 
    
    Microsoft initially claimed that only computers with the Outlook Today 
    home page were vulnerable to attack. Outlook Today is the home page 
    only until an e-mail account is created, Microsoft said. 
    
    However, following release of the bulletin, Finnish security 
    researcher Jouko Pynnonen, who discovered the vulnerability, informed 
    the company that malicious hackers could attack vulnerable Outlook 
    installations even if Outlook Today isn't the default home page, the 
    spokesman said. 
    
    In a revised version of its security bulletin, Microsoft noted the 
    discrepancy. 
    
    "This vulnerability could also affect users who do not have the 
    'Outlook Today' folder home page as their default home page in Outlook 
    2002," the company said. 
    
    The change in status doesn't affect the software patch. Microsoft 
    customers who have already installed the security update don't need to 
    take further action, Microsoft said. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 11 2004 - 02:56:00 PST