We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,764 News Articles

Outlook vulnerable to critical VML bug

Risk for those using Outlook Reading Pane

A critical bug in the IE (Internet Explorer) browser also affects users of the Outlook 2003 email client, making it much more serious than previously thought.

The vulnerability can be triggered when IE or Outlook 2003 processes web-based graphics code written in VML (Vector Markup Language). It was first reported by researchers at Sunbelt Software.

Attackers have not yet begun exploiting the email attack, but a handful of websites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

Initially, researchers thought that only IE was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language 'shellcode' program in the VML tags, researchers have been able to run unauthorised software on systems running the latest version of Outlook 2003.

This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

To attack IE, criminals would first need to trick users into visiting a malicious website. But with an Outlook attack, it becomes much easier to target a victim.

"All you have to do is send an HTML email and the user is hosed," said Eric Sites, Sunbelt's vice-president of research and development.

Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, said Ken Dunham, the director of the iDefense Rapid Response Team.

Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, Dunham said.

Outlook Express users do not appear to be at risk, said Sites.

Microsoft is advising users who want to protect themselves to set Outlook to read email messages in plain text format. Instructions describing how to do this can be found here.

Microsoft's advisory on the VML issue can be found here.

Sunbelt has posted a workaround for the vulnerability here.

Microsoft plans to patch the VML problem as part of its next set of security patches, due on 10 October, but Sites believes that hackers may force the software vendor to rush out an early fix. "I think things will get bad enough that it will have to," he said.


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made