Microsoft issues new Outlook patch

Microsoft Corp. has identified another security hole in its Outlook e-mail software and said a fix is available for the glitch.

The software maker Thursday released a patch for its Outlook and Outlook Express clients, following the identification of a hole in the software that could allow hackers to use a vCard to disable Outlook, or run code through Outlook.

The vCard attachment is a common way to share address book information.

This exploit, like many viruses, will only work if the user opens an infected attachment in an e-mail document, and was reported to Microsoft by Ollie Whitehouse, a British programmer.

The patch is available from Microsoft, and, as always, the company urges users to follow sound security measures, which included not opening unexpected attachments, especially from strangers.

However, as evidenced by the spread of the Kournikova virus last week, users are still all too willing to open suspect attachments.

According to the Microsoft security advisory, “Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer.”

A buffer temporarily stores data in devices or software. Programmers can design buffers to check the size of data entered into them and reject entries that are too long. When they are “unchecked,” it means there is no such safeguard, and users can enter any amount of data. In the case of Outlook, the unchecked buffer would allow a malicious user to create a vCard that contains what Microsoft called “specially malformed data.” When a recipient opened such a vCard, the data overflow the available buffer size and crash the e-mail software.

“In a more serious case, a malicious user could exploit the unchecked buffer to run unauthorized code on the other user’s computer,” Microsoft warned.

Sara Radicati, president and CEO of The Radicati Group in Palo Alto, Calif., said she hadn’t heard of this hole being a problem yet.

“This is such a low-level issue … it just might not have bubbled up yet,” she said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now