Outlook flaw riskier than thought

By Robert Lemos
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: MSN Messenger flaw allows hard-drive access
March 9, 2004; 200 days to fix a broken Windows
February 13, 2004; Microsoft releases monthly security fixes
October 15, 2003; Microsoft upgrades flaw to 'critical'
December 12, 2002

Microsoft has raised the severity rating of an Outlook flaw to "critical," the highest level, after its initial analysis was challenged by the researcher who found the security hole.

The vulnerability in Outlook 2002, first publicized on Tuesday, when Microsoft released a patch, could allow an attacker to use a malicious Web site to cause an affected PC to download and execute a program.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

When Microsoft released its fix, it said it believed that the attack could only be accomplished if a PC user had the "Outlook Today" folder as the default home page in Outlook 2002. Now, after being alerted by Jouko Pynonnen, the Finnish security researcher who found the flaw, it says the potential for attack is greater.

"After we released the bulletin, we were made aware that (the 'Outlook Today' restriction) could be gotten around by the attacker," said Stephen Toulouse, the program manager for Microsoft's Security Response Center. Toulouse stressed that the patch provided to customers on Tuesday prevents any attack, even though the hole is larger than first thought.

It's the third time in the past 18 months that Microsoft has upgraded the severity of a security flaw. In December 2002, it upped two "moderate" vulnerabilities to "critical" status, after the researchers who found the holes cast doubt on Microsoft's initial classification.

Pynonnen said Microsoft had not notified him when the patch was planned for release, nor had the company told him how serious it considered the vulnerability.

"I didn't know the issue (was) going to be published this month," he said. Pynonnen added that if he had known, he would have done more research on the mitigating factors Microsoft had assumed.

Pynonnen warned on Wednesday that the vulnerability could be used by an attack to spread a virus through e-mail messages sent to Outlook 2002 users.

Microsoft took more than seven months to patch the vulnerability, a delay that highlights the software giant's focus on quality over speed in its fixes. Some critics have suggested Microsoft should produce patches faster, but Microsoft's Toulouse said finding the full extent of flaws and eliminating patch problems are company focal points.

"We always try to figure out how broad the impact (of the flaw) will be and try to cover all the possibilities in the patch," he said.

The fix for the security hole can be downloaded through Microsoft's Download Center or by applying Service Pack 3 for Office XP, which was released on Tuesday.

See more CNET content tagged:
Microsoft Outlook 2002, Stephen Toulouse, severity, Microsoft Outlook, security hole

Latest tech news headlines

Technorati makes another acquisition, launches ad platform
Posted in The Social by Caroline McCarthy

October 15, 2008 1:13 PM PDT
'Film on Facebook' project set to debut first movie
Posted in The Social by Caroline McCarthy

October 15, 2008 12:46 PM PDT
VC confidence level takes third-quarter hit
Posted in News - Digital Media by Dawn Kawamoto

October 15, 2008 12:26 PM PDT
See all headlines

Resource center from CNET News sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Digital Media
VC confidence level takes third-quarter hit
The confidence level of Silicon Valley venture capitalists continues to falter and is reaching new lows, according to index results.
Gallery
Photos: Solar business heats up the Golden State
The Open Road
Open source for president? Get real
We're voting for a president, not a software preference. There are bigger issues in front of the U.S. president than whether the government adopts open source.
Beyond Binary
Windows 7 equals some strange math
Although Windows 7 was also the product's code name, the forthcoming version of Windows is not Microsoft's seventh iteration, and it won't carry the version number 7.0.
Video
Apple laptop redesigns and a lower price
News - Digital Media
Who loves an economic crisis? Yahoo Finance
Sites with financial news and data saw record numbers of visitors in September, according to ComScore. Just wait for the October tally.
Video
Apple's latest MacBook Pro
The Social
Film on Facebook to debut first movie Thursday
One Track Mind, a surfing flick created by Woodshed Films, will be available on the social network for viewing on Thursday and Friday.
News - Cutting Edge
'60 Minutes' video: Drone warfare in Iraq
UAVs like the Predator are a highly valued asset for the U.S. military as it pursues "fleeting and perishable" targets. Lesley Stahl reports.
Gallery
Photos: 'Popular Mechanics' breakthroughs
The Car Tech blog
2009 Dodge Challenger SRT8: Big power and head-turning looks
The 2009 Dodge Challenger is truly a muscle car for the 21st century, with the power and the technology to back it up; we only wish the interior matched the price tag.
Green Tech
Tesla Motors replaces CEO, plans layoff
Elon Musk, company investor and chairman, will take over as CEO, replacing Ze'ev Drori, who will join the board. Layoffs are also planned as part of corporate review.