Office XP Bug Opens System to Outsiders

UPDATED Since its introduction, Microsoft's ActiveX technology has been plagued by a seemingly endless flow of security vulnerabilities. The latest flaw discovered by famed bug-hunter Georgi Guninski does nothing to soften the technology's bug laden image. This time, Microsoft Outlook View Control, an ActiveX control that ships with Office, grants malicious users unlimited access to a target system. Although it was first reported that Office XP was solely vulnerable, Microsoft has since issued a security bulletin revealing that all versions of Outlook including 98 are affected.

According to Guninski's findings, "If a user visits a specially designed HTML page with IE or opens or previews a message with Outlook XP arbitrary commands may be executed on his computer." This exploit is accomplished by accessing the Outlook executable, allowing an intruder to read, modify, or delete messages contained in Outlook's folders using a property called "selection."

Guninski contacted Microsoft with his findings on July 9. He has set up a demonstration page that showcases the threat posed, but will not harm your system. In addition, a detailed advisory has been posted containing further information on the bug. Guninski also issued his solution for Outlook users - uninstall Office XP and Windows.

When asked for comment, a Microsoft representative told BetaNews, "Our efforts to protect customers are being impeded by the irresponsible way the person who discovered the vulnerability is handling it. Rather than working with Microsoft, he has chosen to deliberately publicize the issue before a patch could be developed." A patch is currently under development and will be released shortly.