Microsoft plugs hole in Outlook

From...

By Joris Evers

(IDG) -- Five weeks after first warning of a hole in its Outlook e-mail program, Microsoft released a patch to fix a flaw in an ActiveX control that could allow attackers to run destructive code on a user's computer.

IDG.net INFOCENTER IDG.net's main page Free daily newsletters Instant help from the Dummies Network Computerworld Communities Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

The defect lies in the Microsoft Outlook View Control, an ActiveX control that is installed with Outlook 98, 2000 and 2002. The control is designed to display information from Outlook, such as messages in the inbox, in a Web browser, according to Microsoft.

By exploiting the flaw an attacker can get full control over Outlook and even run destructive code on a user's machine. To exploit the flaw an attacker would either need to lure a user to a particular Web site, or send an HTML (HyperText Markup Language) e-mail to the user, according to Microsoft.

Microsoft on July 12 first warned about the vulnerability that was discovered by Bulgarian bug hunter Georgi Guninski. The software maker advised users to disable ActiveX controls until a patch was made available. Microsoft now urges all users of affected software to download and install the patch, which was released Thursday.