Government Security
Network Security Resources

Jump to content

Photo

Microsoft patches 'critical' Outlook, IE bugs


  • Please log in to reply
No replies to this topic

#1 Travis

Travis

    Specialist

  • Sergeant Major
  • 2,101 posts

Posted 24 April 2003 - 01:23 PM

Newly discovered vulnerabilities in the way Microsoft applications handle HTML can allow hackers to take control of a computer

Microsoft has warned customers that they should apply updates for both Internet Explorer and Outlook Express to fix critical security vulnerabilities that could let attackers run programs on a victim's PC.

"The No. 1 thing that we want people to walk away with is to install the updates so their machine is protected," said Stephen Toulouse, security program manager for Microsoft's security response centre.

Last year, Microsoft began to release advisories midweek due to customer comments indicating such a policy makes it more likely that patches can be applied quickly. Both advisories can be found on the company's Web site.

Internet Explorer 5.01, 5.5 and 6.0 all have four flaws, the worst of which could allow an attacker to take control of a person's computer if a victim were to follow links to a Web site or read an HTML (Hypertext Markup Language) email created by an attacker.

A so-called buffer overflow vulnerability, which an attacker can exploit by sending more input to a program than the application expects, could allow the owner of a Web site to run code on the person's computer. Buffer overflows are an old type of vulnerability that still crop up frequently in programs. The flaw occurs in a component of Internet Explorer that delivers Web addresses to the browser from other sources -- for instance, if a person clicked on a URL in an email or a Word document.

Two other vulnerabilities allow an attacker to place code on a Web site that would cause the browser to upload a file from a victim's computer. Another flaw affects how the application handles third-party files such as Adobe Systems' portable document format.

The flaw in Outlook Express is in the way that the application handles the encapsulation of HTML in emails. A software error in the component allows an attacker to run programs on a victim's computer.

Even Windows users who don't read or send email using Microsoft Outlook Express or browse with Internet Explorer should install the update, the advisories stressed.

The advisories are the software giant's 14th and 15th this year. This is the company's second year of trying to secure its many applications under its Trustworthy Computing Initiative.
< object src= http://news.zdnet.co...2133808,00.html > :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users