Print this article  |  E-mail this article  |  Comment on this article

Security Flaws Found in Outlook, IE

By Ed Oswald, BetaNews

April 1, 2005, 8:34 PM

Two major security flaws were discovered in Microsoft's Internet Explorer and Outlook software Thursday by research firm eEye Digital Securities. According to the firm's Web site, vulnerabilities exist in both programs that allow malicious code to be executed with minimal user interaction.

The company promised more detail to come in a future advisory.

eEye's chief hacking officer Marc Maiffret told eWeek that the issues were rated high risk after the firm discovered that a hacker could take advantage of the flaw from anywhere on the Internet.

"These are client-side vulnerabilities that could allow attacks via a Web browser or the Outlook client. The risk of a zero-day attack is quite high," Maiffret said.

To its defense, Microsoft told BetaNews that while it is investigating the reports it had received from eEye, the company had not received any notices from customers about the issue.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers," a company spokesperson said. "[This] may include providing a fix through a service pack, our monthly release process or an out-of-cycle security update, depending on customer needs."

eEye's Maiffret said that he believes if Microsoft does indeed address the issue, a fix would be as part of a regular monthly security update.

In the meantime, Microsoft suggested that users ensure their firewall is activated and recommended that concerned users visit Microsoft's Web site for more tips on how to protect themselves.

Add a Comment (41 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By ImComingTonight

posted Apr 4, 2005 - 12:42 PM

If you have nothing else to write about, then perhaps I should become the news editor.

Score: 0

By Bugeyes

posted Apr 4, 2005 - 9:32 AM

"A vulnerability in defaul installations of the affected software that allows code to be executed with minimal user interaction."

That's like saying 'someone can take control of your PC if you give them the administrator password'

"Operating Systems Affected:"
"Windows (Various versions to be determined)"
So we can guess it probably exploits the fact that Win9x/Me is crap for security.

Tell me that it effects WinXP SP2 default install, and I might get worried about the mindless zombies out there, but even if it allowed a remote code execution WITHOUT user interaction, it wouldn't worry me as an IE / Outlook user.

Be smart about it, and educate people, don't just say Firefox/Thunderbird!! r0x0rs! M$ bites because everyone else says so!

Firefox is slow, Thunderbird is light years behind Outlook.

Buggy

Score: 0

By jrepin

posted Apr 3, 2005 - 7:53 AM

Who would even use IE and OE when we have Firefox and Thunderbird which are more secure, have more features and are developed much faster. They also look a lot better and you can use themes to change the looks if you don't like the default one. And the developers actualy listen to uses when they ask them for some new feature.

Score: 0

By wincement

posted Apr 4, 2005 - 6:40 PM

Will it never end?

It's getting pretty annoying listening to all the pseudo-nerds argue about the best browser.

Score: 0

By KSzostek

posted Apr 4, 2005 - 9:54 AM

Have you been reading Firefox has more than it's share of problems, and will continue to have them as it's popularity builds.
I'm not at all impressed with firefox, it is slow has several bugs has little in features. Everybody is trying to make features for it but most suck. If you like it, use it, you deserve a featureless browser.

Score: 0

By gawd21

edited Apr 3, 2005 - 11:50 AM

FireFox is cool and works well, however, Thunderbird sucks. It's slow and doesn't support http based e-mail.

Score: 0

By 5ketcher

posted Apr 4, 2005 - 4:58 AM

You are wrong. Thunderbird is mutch faster then Outlook. It's faster to open and to download the email. And you can see HTML Emails if you want.

Score: 0

By gawd21

edited Apr 4, 2005 - 6:18 PM

I said http not html. Look at the time I posted/edited it, it was before you posted.

Score: 0

By xnavy

posted Apr 4, 2005 - 2:12 AM

Get your facts straight. Thunderbird does, in fact, support html mail (and does it well IMO). See http://www.mozilla.org/products/thunderbird/

Score: 0

By gawd21

edited Apr 4, 2005 - 6:16 PM

Before you tell someone else to get the facts straight you might want to be sure in fact that they are wrong and that you aren't. I have searched tb 1.0.2 and still no http e-mail support. I never said it didn't support HTML I SAID HTTP. Learn to read.

Score: 0

By zridling

posted Apr 2, 2005 - 8:56 PM

As long as humans are writing the code and subhumans are hacking away at it, no browser will ever be declared "secure." I don't care if I'm using Mozilla or Microsoft, either one is going to have its weaknesses at any given time. The best security is preventative security.

Score: 0

By AntiochMedia

edited Apr 2, 2005 - 12:25 PM

Just to add in another classic angle of the argument - Thunderbird is comparable to Outlook Express, not to Outlook.

Statements like "Thunderbird is better than Outlook" is comparing apples and oranges.

I use Outlook 2003 so that I can use an Exchange server and have a shared calendar, task list, and contacts that is used within my business. I also like how an Exchange server provides a web-based interface for accessing the data from a computer without Outlook setup.

Outlook and Thunderbird aren't comparable -- they are very different programs.

(As a sidenote, I use Mozilla Firefox. I use the app that fits. If 'Mozilla Lightning' properly integrates a shared calendar, task list, and e-mail in a similar way to Outlook, then it's comparable).

Score: 0

By 5ketcher

posted Apr 4, 2005 - 5:01 AM

Your Email client doesn't share the stuff! Your email server shares your stuff. you can also run on an open exchange server from suse. ist is mutch better then the microsoft one. and you allso have a mutch better webinterface.

Score: 0

By UniversityofKentucky

posted Apr 3, 2005 - 6:17 PM

Just as an aside, The client "Evolution" will connect to an Exchange Server.

Score: 0

By Mystiqq

posted Apr 2, 2005 - 12:12 PM

I hardly call "IE/Outlook having security flaws" a news. :D

Score: 0

By complexity

posted Apr 2, 2005 - 3:04 AM

At least we are protected!

I'll get it over with & say
thunderbird/firefox

Score: 0

By sparklyballs

edited Apr 2, 2005 - 4:09 AM

do you really believe that if firefox/thunderbird were the dominant browser/email client that ie and oe are today, that they would not have some of the same problems with security. i think that it is mainly a numbers game and ie etc.. are the big target solely because of that. it stands to reason that if you have all the main players in the security field looking for flaws in your product that they are going to find them. if all that effort were suddenly diverted to mozilla software how long do you think it would take for a string of security flaws to manifest itself.
how quickly you forget the spoof web site flaw that also affected firefox. if they had to deal with security threats as regularly as redmond i'm pretty certain they would grind to a halt.

Score: 0

By Tenoq

posted Apr 3, 2005 - 8:07 PM

The domain name 'flaw' as you call it, was more a flaw in the IDN spec than in Mozilla and other affected browsers. The only reason IE didn't have the same flaw was because they were behind the 8-ball and hadn't even implemented IDN yet.

Bit rough criticising them for that.

Score: 0

By Ozieo

posted Apr 3, 2005 - 5:29 PM

Hehe, Firefox IS the dominant browser today.
IE is old, fat, buggy crap.

Score: 0

By KSzostek

posted Apr 4, 2005 - 9:59 AM

Grow-up did your mommy not teach you to learn what you are talking about before you speak.

Score: 0

By Squire72

posted Apr 2, 2005 - 12:14 PM

No, they wouldn't have the same problems, because they actually CARE that their clients have a secure, safe browsing experience. To that end, they work constantly on the browser fixing bugs, cleaning up code, and otherwise improving the browser (in such a way that it will run on almost any modern platform, including older versions of Windows).

Microsoft, on the other hand, doesn't give a flying fig about IE users unless they're running Windows XP SP2, and even then - they haven't secured it anywhere near what they'd like you to think they have.

Score: 0

By sophist_dreams

posted Apr 2, 2005 - 10:45 AM

The argument that because FF is less popular therefore hackers dont target it is getting old. The key is that FF doesnt impliment ActiveX and is therefore less vulnerable. Do you really believe someone out there is trying to hack FF just becuase it has a smaller market share? What color is the sky on the planet where you live anyway?

Score: 0

By ConceptJunkie

posted Apr 2, 2005 - 6:52 AM

I have one word for you: ActiveX.

Score: 0

By Caleb

edited Apr 2, 2005 - 6:57 AM

What pisses me off is that people brag about firefox being so much more secure than IE by "not implementing" ActiveX. (boasting it as a feature)

Wow, great job developers. I bet it took you a while not to implement ActiveX.

Mozilla had tons of security problems, but back then nobody cared, and nobody posted a news report on big sites because a "flaw" was detected.

It's only now, that firefox is famous these things are posted.

So let's not be hyprocrites about this please. Both browsers have security problems...

Score: 0

By misuse86

posted Apr 3, 2005 - 6:08 PM

IE MANY MANY MANY FIREFOX FEW FEW FEW

Score: 0

By ConceptJunkie

posted Apr 2, 2005 - 11:57 AM

Oh, yeah. And the Mozilla team didn't take an entire month off in early 2000 to focus solely on security issues after which security problems increased significantly.

No one is saying Mozilla or Firefox or Opera or lynx is perfect, far from it, Firefox has bugs that bug the crap out of me. The difference is that security problems have been far less frequent, fixes are available quickly (as they usually are for IE), and most importantly improvements in Firefox come out relatively quickly and not on a biennial basis, like IE which hadn't changed significantly from a user's point of view from IE 4.0 in 1997 to XP SP 2 last year.

If several Mozilla projects simultaneously develop a laughable reputation for the number of exploits they expose for several years, and claims are repeatedly made that security is being addressed amidst increasing exploit reports, then they will be on par with MS. It's not just IE. Heck IE is one of the better ones... it's Outlook, Outlook Express, WMP, SQL Server, IIS and who know what else? If edlin were written today, it would probably expose kernel functionality through scripting and be a usable vector for rooting a Windows machine over the network.

Firefox isn't better because it was hard work to not implement ActiveX, but rather Microsoft was lazy in creating ActiveX in the first place (at least in their implementing it in the browser, otherwise it's not bad) which is essentially a deliberate security exploit to make up for laziness in developing a true Web application platform. Has Java had anywhere near the security problems compared to ActiveX? Has PHP? Not that I'm aware of. Apache is used far more than IIS, but it has fewer security problems.

The difference is MS never cared about security until the Internet made it an issue whereas in the Unix/Linux world security was considered from Day 1. All software has bugs, but on one side it comes from human error or minor design problems whereas on the other side it is caused by fundamental design flaws caused by shoehorning real security into a system where each process was historically able to control the entire machine, and then exacerbated by human error.

The Internet took MS by surprise, but the Unix/Linux world was ready for it. Networking was far more integral to the evolution of that end, and that mentality and expertise has been utilized in creating new projects which far exceed Microsoft's apps both from learning from the latter's mistakes, and also from not being burdened with remaining compliant with a 20-year legacy of tradeoff, hacks, and bad ideas.

Score: 0

By KSzostek

posted Apr 4, 2005 - 10:03 AM

Just how many of these security flaws has affected you personally? Give me a break, someone crys fire and you run even when the fire doesn't affect you get a clue.

Score: 0

By gawd21

posted Apr 3, 2005 - 12:00 PM

Are you jealous that you don't work for MS?

Score: 0

By Galway

posted Apr 2, 2005 - 8:07 AM

Its all about choice, Some are free and some are not. IE is the norm cus its there allready on Windows and people are lazy or not experienced or oblivious to the choice. For everyone else we can download what the hell you want and use it. And for those people we have news updates and hack reports to base our decisions on. I use Firefox and IE. Coupled with Seganos Internet anon pro to filter out ActiveX, scripts, browser ident and refer.

I concider Firewall, AV and Antispyware to be essenial and concider myself to by comfortably safe.

Im not stuck to these, if any flaws come I will change should I think i need to, but Firefox is my default browser for now.

Score: 0

By sn1p34

posted Apr 2, 2005 - 11:12 AM

I dono how you guys can use Active X as an excuse; they fixed that problem with service pack 2, Now it ask you if you would like to allow Active X.

Score: 0

By misuse86

posted Apr 3, 2005 - 6:13 PM

AND IF YOU REFUSE TO ALLOW ACTIVE-X TO BE INSTALLED, YOU CAN'T EVEN DOWNLOAD MS SERIVCE PACKS - SOUNDS LIKE A PLAN TO ME!!!!

Score: 0

By ConceptJunkie

posted Apr 2, 2005 - 12:04 PM

You are kidding, aren't you?

The more a computer asks potentially confusing or meaningless questions, the more likely a user is going to develop a habit of hitting "Yes" to get that damn dialog out of his face. Even a conscientious user must have considerable knowledge and/or experience to discern when it is really safe to do so.

MS has got to quit allowing you to disable a feature and calling that a security fix. My car will never crash if I can't start it up. I'll never die in a plane crash if I never ride in one. But I don't consider those as "improvements" to the safety of driving or flying.

Score: 0

By sftwrmaniac

posted Apr 2, 2005 - 1:40 PM

Microsoft CHOSE to have the activeX "feature", integrating the browser into the OS. It doesn't matter what features browsers do and do not have. What matters is the ease of use, and yes, for now it's Firefox. If you can't see that then you're either ignorant or lazy.

Score: 0

By Galway

posted Apr 2, 2005 - 1:46 PM

If you so bothered about it turn activeX off, a few mouse clicks and its sorted, cant you be bothered to do that ?

Score: 0

By ConceptJunkie

posted Apr 2, 2005 - 10:27 PM

I'm not bothered by ActiveX because it might harm me, but I am bothered when ActiveX or some other MS flaw^h^h^h^h feature swamps the entire net with worm activity.

Score: 0

By ambiancelover

edited Apr 2, 2005 - 2:55 PM

God the macho egos!

If you men are so good at criticizing everything then make a browser of your own!

Until then have Securities up best you can, in a layered format, and deal with it!

Score: 0

By sftwrmaniac

posted Apr 3, 2005 - 7:54 AM

Some people don't read properly.

Score: 0

By jsc315

posted Apr 3, 2005 - 3:02 PM

IE with another sucurity problem. well what else is new.

Score: 0

By t1nais

posted Apr 3, 2005 - 5:01 PM

I've made a browser. I found by not implementing anything, the browser is totally secure and there is no way it has vulnerabilities.

Score: 0

By KSzostek

posted Apr 4, 2005 - 10:06 AM

Then post it. Maybe you will be the next bill Gates oh wise one, with all the answers.

Score: 0

By 5ketcher

posted Apr 4, 2005 - 5:07 AM

hey cool can you send me a link to that browser or the browser it self? 5ketcher(at)gmx(dot)net. Thanks in advance.

Score: 0

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal

Sep 5 - 2:06 PM ET An ad about nothing: First Seinfeld + Gates ad omitted Vista