If you use Outlook 98, 2000, or 2002 to manage your e-mail, you have a new problem to worry about. The problem involves the Microsoft Outlook View Control, an ActiveX feature that lets users view their mail or calendar information remotely. It has recently been discovered that remote attackers can penetrate a system via this Outlook feature and execute any code of their choice. Let’s take a closer look at the risk of this flaw and how to compensate for it.
Risk level—low to moderate
Although penetration via this ActiveX flaw would allow an attacker to read or delete mail, view or modify the user’s calendar, and even run a program on the user’s machine, the risk level should be relatively low. In order to take advantage of the flaw, the user must visit a malicious Web site or open e-mail from the attacker.
Savvy managers who installed last year’s Outlook E-mail Security Update have already blocked the direct e-mail attack. Although Microsoft lists Outlook 2002 as being vulnerable to this ActiveX attack, the Security Update should automatically load when Outlook 2002 is installed, so only a visit to a malicious Web site could make a user vulnerable.
Therefore, although this flaw poses serious dangers to those who aren’t protected, the likelihood of encountering the problem is minimal in a well-managed network.
At the time of this writing, Microsoft had not released any specific patches for this problem. However, you should check Microsoft Security Bulletin MS01-038 for the latest updates.
Until a patch is available, Microsoft advises disabling “ActiveX controls in the IE Internet Zone” as a temporary fix to protect against users visiting bad Web sites. Details on how to do this both on the network and for individual systems appear in the FAQ portion of MS01-038. And if you haven’t installed the Outlook E-mail Security Update, you should do so in order to block malicious e-mail.
It’s apparent that Microsoft is annoyed with the people who discovered this flaw. The company has gone as far as describing them as “irresponsible” for having publicly announced this flaw instead of quietly notifying Microsoft about it so that they could be ready with a patch when the problem was announced. Whether you agree that the announcement was irresponsible depends on whether you prefer to know about a problem early so you can take steps to block it with a quick fix or wait until a public announcement is made and Microsoft has an official patch ready. Once an announcement is made, the flaw becomes much more dangerous because even script kiddies and other inexperienced hackers can then use it to target vulnerable systems.
How do you handle Active X vulnerabilities?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.