RE: Outlook Crashing, and not asking for password

From: Michael Wojcik (Michael.Wojcikat_private)
Date: Wed Mar 19 2003 - 09:08:42 PST

Next message: Patrick Webster: "NSLOOKUP.EXE"

Previous message: Elkhatib, Ahmad: "Outlook Crashing, and not asking for password"
Maybe in reply to: Elkhatib, Ahmad: "Outlook Crashing, and not asking for password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On some platforms, Outlook appears to use a separate process to actually
communicate with the server.  On Windows NT, that process is MAPISP32.EXE,
for example.  If outlook.exe dies but mapisp32.exe is still running, you
won't be prompted for login information when you restart Outlook.

I've never seen this happen under any other circumstances, and logging out
or rebooting should terminate mapisp32, and if you're in the habit of
leaving a physically-unsecured system unattended while logged in, you have
worse problems, so this probably isn't a vulnerability.  In any case,
Outlook is so crammed full of security holes that there's not much point in
worrying about this one.  Avoid Outlook if you can; if you're forced by a
foolish IT department (or the legacy of a former foolish IT department, in
my case) to use it, worry first about securing it against remote exploits.
(I've disabled HTML email, for example, and use an application firewall to
prevent Outlook from connecting to any system except the corporate Exchange
server.  Those two take care of a lot of the holes.)

Michael Wojcik
Principal Software Systems Developer, Micro Focus


> -----Original Message-----
> From: Elkhatib, Ahmad [mailto:khatibat_private] 
> Sent: Wednesday, March 19, 2003 1:51 AM
> To: vuln-devat_private
> Subject: Outlook Crashing, and not asking for password 
> 
> 
> Hello List, 
>  
> I was using MS Outlook 2002 to check my email on an exchange 
> server, and
> when I tried to paste a long text message it crashed. Now that's not
> surprising since Outlook is weird like that. The surprising 
> part is that
> when I got the dialog asking whether I want to report the 
> error or not,
> and restart Outlook; I chose to report, and then restart. At 
> this point
> it never asked me for my password again and just restarted Outlook and
> logged back into my inbox. Is this expected behavior ? the 
> fact that it
> logged back into my inbox without asking for a password after 
> it crashed
> really worries me. 
>  
> any ideas ? comments ? 
>  
> -Ahmad   
>

Next message: Patrick Webster: "NSLOOKUP.EXE"
Previous message: Elkhatib, Ahmad: "Outlook Crashing, and not asking for password"
Maybe in reply to: Elkhatib, Ahmad: "Outlook Crashing, and not asking for password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 14:36:21 PST