Outlook vulnerable to critical VML bug

A critical bug in Internet Explorer also affects users of the Outlook 2003 e-mail client.

A critical bug in the Internet Explorer (IE) browser also affects users of the Outlook 2003 email client, making it much more serious than previously thought.

The vulnerability can be triggered when IE or Outlook 2003 processes Web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday by researchers at Sunbelt Software.

Attackers have not yet begun exploiting the email attack, but a handful of websites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

Initially, researchers thought that only Internet Explorer was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language "shellcode" program in the VML tags, researchers have been able run unauthorised software on systems running the latest version of Outlook 2003.

This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

To attack Internet Explorer, criminals would first need to trick users into visiting a malicious website. But with an Outlook attack, it becomes much easier to target a victim.

"All you have to do is send an HTML email and the user is hosed," Sunbelt vice-president of research and development, Eric Sites, said.

Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, director of the iDefense Rapid Response Team, Ken Dunham, said. Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, he added, but Outlook Express users do not appear to be at risk.

Microsoft is advising users who want to protect themselves to set Outlook to read email messages in plain text format.

According to one researcher, Outlook 2003 should not be rendering VML code automatically, but the product appears to be vulnerable due to a second bug in Microsoft's software.

"Some versions of Outlook will render VML despite the fact that they shouldn't," Cybertrust senior information security analyst, Russ Cooper, said. "We should be raking Microsoft over the coals for this."

Sites agreed "there seems to be a bug in the latest version of Outlook".

Microsoft executives were not immediately available to comment for this story.

Microsoft plans to patch the VML problem as part of its next set of security patches, due October 10, but Sites claims hackers may force the software vendor to rush out an early fix.

"I think it will get bad enough that they will have to," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?