LATEST VULNERABILITY FOUND IN MICROSOFT OUTLOOK 2000 HIGHLIGHTS NEED FOR HOLISTIC CORPORATE SECURITY MANAGEMENT Monday 26 February 2001 PDF Print Microsoft, Netscape and Lotus users at risk from commonly attached file types left open for use as the basis for mail worms Internet security consultancy @stake has identified a new security risk to corporations from Microsoft Outlook 2000 users exchanging address book information with products from Microsoft, Netscape and Lotus. Microsoft Outlook 2000 is the e-mail client that is shipped as standard with the Microsoft Office suite and the preferred means of connecting to the Microsoft Exchange product. @stake's research labs have identified that the execution of arbitrary - and potentially malicious - computer code may be allowed by a buffer overrun caused by the way that Outlook handles the birthday field in the VCF (or vCard) file format. This happens when importing from either the file system or from an attachment to an e-mail. vCards are common attachments used for exchanging address book information between parties that support RFC2426 http://www.faqs.org/rfcs/rfc2426.html An attacker could exploit this opportunity to run malicious code on a target system running Microsoft Outlook/Outlook Express products from Microsoft on both Windows NT4 and Windows 2000 platforms. The target user would only need to open a malicious vCard file as attachment to an email message for an attack to take place, by causing Outlook to execute any arbitrary computer code contained within the vCard. For instance, this would happen if a sender's address information was attached to a user's local address book. The user could also choose to open a vCard as a file on the local or network file system, or as a file via http with the same consequences. Royal Hansen, practice director Europe @stake, commented, "Any vulnerability in commonly attached file types exposes corporations to great risk as these problems are often used as the opportunity for the malicious delivery of highly destructive and virulent mail worms. Again, this is a good example of why corporations must develop security policies that do not trust *ANY* attachment from any unknown source even if the type of attachment is considered `safe` by individual users." Hansen continued, "While no company's data can be completely secure, businesses should look to evaluate their individual security requirements in a holistic manner. Rather than relying on product-based security solutions - such as firewalls - alone, each business must identify the risk of security exposure, together with the cost of implementing a solution, and assess the level of security needed to protect their sensitive data. This will always include a large element of the 'human dimension' in any of these evaluations. For further information go to: http://www.atstake.com/research/advisories/2001/index.html#0... About @stake @stake works where business and technology intersect, because that is where security is most powerful. The firm integrates technical and business expertise to build security solutions that look beyond the network to the security of applications and data, and future business goals. @stake couples vertical industry expertise in three areas-- financial services, communication service providers and e-markets-- with pioneering research, to design and build strategic security solutions that enable the electronic business initiatives of its Global 2000 clients. Amidst other providers for whom security services are a way to sell products or drive the sale of broader service offerings, @stake stands out with its dedicated focus on security consulting services and the unmatched calibre of its people. @stake security consultants and research scientists built their expertise at premier organisations including the L0pht, Cerberus Information Security, DERA, the National Security Agency, Axent, BBN, Deloitte & Touche, Open Market and RSA. @stake matches its unparalleled security talent with equally strong vertical industry and business expertise drawn from Sapient, Cambridge Technology Partners, Arthur Andersen, Fleet, Fidelity, Exodus, Nortel and Interpath. Contact: Brodeur Bfour Matthew Ward/Lena Ahmed email@example.com or firstname.lastname@example.org Telephone +44 (0) 1753 790 700 This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.