Skip navigation

Microsoft, Netscape and Lotus users at risk from commonly attached file
types left open for use as the basis for mail worms


Internet security consultancy @stake has identified a new security risk to
corporations from Microsoft Outlook 2000 users exchanging address book
information with products from Microsoft, Netscape and Lotus. Microsoft
Outlook 2000 is the e-mail client that is shipped as standard with the
Microsoft Office suite and the preferred means of connecting to the
Microsoft Exchange product.

@stake's research labs have identified that the execution of arbitrary -
and potentially malicious - computer code may be allowed by a buffer
overrun caused by the way that Outlook handles the birthday field in the
VCF (or vCard) file format. This happens when importing from either the
file system or from an attachment to an e-mail. vCards are common
attachments used for exchanging address book information between parties
that support RFC2426 http://www.faqs.org/rfcs/rfc2426.html


An attacker could exploit this opportunity to run malicious code on a
target system running Microsoft Outlook/Outlook Express products from
Microsoft on both Windows NT4 and Windows 2000 platforms. The target user
would only need to open a malicious vCard file as attachment to an email
message for an attack to take place, by causing Outlook to execute any
arbitrary computer code contained within the vCard. For instance, this
would happen if a sender's address information was attached to a user's
local address book. The user could also choose to open a vCard as a file
on the local or network file system, or as a file via http with the same
consequences.

Royal Hansen, practice director Europe @stake, commented, "Any
vulnerability in commonly attached file types exposes corporations to
great risk as these problems are often used as the opportunity for the
malicious delivery of highly destructive and virulent mail worms. Again,
this is a good example of why corporations must develop security policies
that do not trust *ANY* attachment from any unknown source even if the
type of attachment is considered `safe` by individual users."

Hansen continued, "While no company's data can be completely secure,
businesses should look to evaluate their individual security requirements
in a holistic manner. Rather than relying on product-based security
solutions - such as firewalls - alone, each business must identify the
risk of security exposure, together with the cost of implementing a
solution, and assess the level of security needed to protect their
sensitive data. This will always include a large element of the 'human
dimension' in any of these evaluations.

For further information go to:
http://www.atstake.com/research/advisories/2001/index.html#0...


About @stake

@stake works where business and technology intersect, because that is
where security is most powerful. The firm integrates technical and
business expertise to build security solutions that look beyond the
network to the security of applications and data, and future business
goals.

@stake couples vertical industry expertise in three areas-- financial
services, communication service providers and e-markets-- with pioneering
research, to design and build strategic security solutions that enable the
electronic business initiatives of its Global 2000 clients. Amidst other
providers for whom security services are a way to sell products or drive
the sale of broader service offerings, @stake stands out with its
dedicated focus on security consulting services and the unmatched calibre
of its people.

@stake security consultants and research scientists built their expertise
at premier organisations including the L0pht, Cerberus Information
Security, DERA, the National Security Agency, Axent, BBN, Deloitte &
Touche, Open Market and RSA. @stake matches its unparalleled security
talent with equally strong vertical industry and business expertise drawn
from Sapient, Cambridge Technology Partners, Arthur Andersen, Fleet,
Fidelity, Exodus, Nortel and Interpath.

Contact:

Brodeur Bfour

Matthew Ward/Lena Ahmed

mward@brodeurbfour.com


or lahmed@brodeurbfour.com


Telephone +44 (0) 1753 790 700

This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.