yet another security threat in MS OE 5

From: deepquestat_private
Date: Sat Nov 13 1999 - 16:56:54 PST

Next message: Gregory A Lundberg: "Re: [RHSA-1999:054-01] Security problems in bind"

Previous message: Alan Brown: "Re: your mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

MS flags OE 5 security threat
from http://macweek.zdnet.com/1999/11/07/outlook.html

Microsoft Corp. has revealed a security issue with the Mac version of Outlook Express 5.0 that may leave users of the free Internet e-mail client open to invasions by potentially destructive Trojan horses.

According to an e-mail sent out Friday evening by Waggener Edstrom, Microsoft's PR firm, "Microsoft is taking this issue very seriously and is working diligently to provide a solution to this issue that will enable our customers to continue having a safe and easy computing experience.

"In the meantime, OE 5 users should ensure they do NOT open any file in their Downloads Folder without knowing where the file came from," the e-mail warns.

According to the document, a security gap in Open Express 5.0 "makes it possible for a malicious sender to send [a multilingual HTML] message to an OE 5 user that will automatically download a file to the user's default Download folder without the OE 5 user's knowledge. (The location of the default Download folder is set in IE or Internet Config.)

"The downloaded file can be anything, including an executable. This scenario is similar to malicious users sending out messages containing harmful attachments in that the user has to explicitly take action (opening the attachment, or in this case, opening the downloaded file) in order for any damage to occur - the file is NOT automatically opened or executed on the user's machine.

"Since the user is not aware that the file has been downloaded, the user may encounter the file later and open/launch it. Since the file can be an executable, launching it could cause damage to the user's machine.
Users should NEVER open any file in the Downloads Folder unless they know where the file came from.

"Again, we are taking this issue very seriously and are working on a solution. In the meantime, OE 5 users should ensure they do NOT open any file in their Downloads Folder without knowing where the file came from," the message concludes.

Microsoft was not immediately available for additional comment.

Next message: Gregory A Lundberg: "Re: [RHSA-1999:054-01] Security problems in bind"
Previous message: Alan Brown: "Re: your mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:59 PDT