Mitigating the problem somewhat is the fact that if G1 & G2 already correspond (which seems plausible given the attack scenario) there would already be an entry for G2 in the contact list. In that case doesn't OE pop up an arbitration dialog? That ought to give the user a clue that something is amiss. They will have to choose "which" address to send to. Personally at that point I would ask myself how I managed to get two entries and check them a little more closely in order to select one. -matthew Priestley mpriestat_private Phone: 425-703-9478 Fax: 425-936-7329 -----Original Message----- From: 3APA3A [mailto:3APA3Aat_private] Sent: Tuesday, June 05, 2001 4:09 AM To: bugtraqat_private Subject: SECURITY.NNOV: Outlook Express address book spoofing Hello bugtraq, sorry if this is already known - the bug is trivial. Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author : 3APA3A <3APA3Aat_private> Affected : Outlook Exress 5.5SP1 and prior Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : http://www.microsoft.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 12:53:25 PDT