On some platforms, Outlook appears to use a separate process to actually communicate with the server. On Windows NT, that process is MAPISP32.EXE, for example. If outlook.exe dies but mapisp32.exe is still running, you won't be prompted for login information when you restart Outlook. I've never seen this happen under any other circumstances, and logging out or rebooting should terminate mapisp32, and if you're in the habit of leaving a physically-unsecured system unattended while logged in, you have worse problems, so this probably isn't a vulnerability. In any case, Outlook is so crammed full of security holes that there's not much point in worrying about this one. Avoid Outlook if you can; if you're forced by a foolish IT department (or the legacy of a former foolish IT department, in my case) to use it, worry first about securing it against remote exploits. (I've disabled HTML email, for example, and use an application firewall to prevent Outlook from connecting to any system except the corporate Exchange server. Those two take care of a lot of the holes.) Michael Wojcik Principal Software Systems Developer, Micro Focus > -----Original Message----- > From: Elkhatib, Ahmad [mailto:khatibat_private] > Sent: Wednesday, March 19, 2003 1:51 AM > To: vuln-devat_private > Subject: Outlook Crashing, and not asking for password > > > Hello List, > > I was using MS Outlook 2002 to check my email on an exchange > server, and > when I tried to paste a long text message it crashed. Now that's not > surprising since Outlook is weird like that. The surprising > part is that > when I got the dialog asking whether I want to report the > error or not, > and restart Outlook; I chose to report, and then restart. At > this point > it never asked me for my password again and just restarted Outlook and > logged back into my inbox. Is this expected behavior ? the > fact that it > logged back into my inbox without asking for a password after > it crashed > really worries me. > > any ideas ? comments ? > > -Ahmad >
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 14:36:21 PST