News

Outlook-Word Vulnerability Could Allow Code Execution

Organizations running Microsoft's Outlook e-mail client face a new security vulnerability if some users choose Word as their default e-mail editor.

Microsoft classifies the newly discovered vulnerability as a moderate risk to client systems, and the company has a patch available at www.microsoft.com/technet/security/bulletin/MS02-021.asp.

A feature of Outlook 2000 and Outlook 2002 allows users to select Microsoft Word as the e-mail editor when writing or editing e-mail in Rich Text or HTML. A vulnerability means that when Outlook is used that way, replying or forwarding to e-mail from a malicious user could execute scripts that run in the security context of the user.

Microsoft uses different security settings for displaying e-mail versus editing e-mail. Outlook displays HTML e-mail by applying Internet Explorer security zone settings that prevent scripts from running. But if the user replies or forwards the message, Outlook opens the e-mail and passes the message to the Word editor, which doesn't block scripts.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Attackers Using Excel Read-Only Files To Obscure Malware

    Attackers can attempt to hide malicious payloads in Excel files sent by e-mail by using a standard Excel feature, according to a Tuesday post by Mimecast researchers.

  • Microsoft 365 Personal and Family Product Unveiled

    Microsoft on Monday announced new "Microsoft 365 Personal and Family subscriptions" to come next month, a new single consumer product providing access to applications such as Excel, PowerPoint and Word.

  • Microsoft Shifting Away from Office 365 Brand Name in April

    Microsoft on Monday announced coming product naming changes, where "Office 365" is mostly getting replaced by the "Microsoft 365" brand.

  • Microsoft Grows Services Amid COVID-19

    Microsoft in a Saturday announcement recapped how its services have been affected by "shelter-in-place" governmental mandates in the last week, providing details on growth stats and prioritizations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.