We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Outlook flaw exposed

Holes revealed in yet more Microsoft software

Microsoft has warned of a flaw in yet another of its programs, which could allow hackers to run a malicious code on a victim's computer.

The flaw affects an ActiveX control, found in Outlook View, which has been distributed with the 98, 2000 and 2002 versions of the company's email software. The function enables people to view Outlook data over a web page.

Microsoft's technical advisory staff said in normal circumstances the function should only allow users to view mail, but the flaw allows web pages to actually manipulate Outlook data.

The defect was identified by Guninski, a Bulgarian bug hunter, who has been responsible for detecting several flaws in other Microsoft software. His website reads; "The more money I give to Microsoft, the more vulnerable my Windows computers are."

Guninski alerted Microsoft on 9 July but no official statement was made by the software giant until 13 July.

"It is extremely easy to find the vulnerability," Guninski told our News Service, "and if Outlook 98 is affected, as Microsoft states in its advisory, this means it has been around for years."

But Microsoft was unhappy with Guninski, branding his actions irresponsible.

"As a direct result of Mr Guninski's actions, customers are exposed to far greater risk than they would have been had he given Microsoft a chance to respond, instead of pasting the warning on his website," said Scott Culp, program manger at Microsoft's security team.

Culp added customers would now have to update their machines twice thanks to Guninski - once to work around the problem and once to install the patch, which Microsoft is currently working on.

Until the patch is ready, however, the company's advisory paper suggests users work round the flaw by temporarily disabling ActiveX controls in Outlook's IE zone.

News of this latest flaw comes after more than a month of software security troubles for Microsoft, which released three patches for its Exchange Server versions 5.5 and 2000, as well as a warning about two other flaws in its Internet Information Services web server software that might also affect Windows XP's indexing service. See our news story, More holes than Swiss cheese.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite