At 11:54 AM 11/8/99 -0800, Elias Levy wrote: >Juan Carlos Garcia Cuartango has found the following security vulnerability >in Microsoft Outlook. This is a highly dangerous issue. It allow a remote >attacker to email an Outlook user an executable which will be run when >the user views the attachment without asking them whether to save it or >execute it. >Quick fix: Disable Javascript in Outlook. There's a wrinkle in this one that I think people need to be aware of - Outlook uses the security zones that IE also uses. By default, everything runs in the 'Internet Zone', though you can get your mail to run in the "Untrusted Zone". Even if your mail is currently set to run in the untrusted zone, any HTML attachments will run in the "Internet Zone". I have now been running my e-mail client at work using the untrusted zone (and actually tweaked beyond that) for a couple of months, and have not noticed any ill effects at all. I also like to view HTML attachments as pure text to see what is in there, but then I'm fairly paranoid and recognize that end-users can't be expected to do that. If you want to make sure you've got all the bases covered, then you need to disable java script in both zones. I also recommend investigating all sorts of attachments carefully. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:58 PDT