Microsoft released today four security bulletins describing vulnerabilities in various versions of Office and ancillary products, and issued updates to address them. All four updates are termed critical.
The most serious of the four—MS08-015—is titled Vulnerability in Microsoft Outlook Could Allow Remote Code Execution. The flaw is in Outlook's handling of mailto: links, which are HTML links meant to initiate an e-mail session. The user would have to click on a maliciously-crafted link in an Outlook HTML e-mail or in a browser.
Exploitation would allow remote code execution in the context of the logged-in user; the usual protection provided by running HTML e-mail in the Restricted zone does no good in this case, as mailto: links are permitted there, but it is true that these links cannot be made to execute without the user clicking on them.
Almost all supported versions of Outlook are affected, including Office 2000 Service Pack 3, Office XP Service Pack 3, Office 2003 Service Packs 2 and 3, and Office 2007 with no service pack. Office 2007 with Service Pack 1 installed is not affected, indicating that Microsoft silently patched this bug in that service pack. There is no indication that Outlook Express or the Vista Windows Mail program are affected by this vulnerability.
Source: PC Magazine
0 comments:
Post a Comment