Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised (softpedia.com)

Posted by timothy on from the just-positioned dept.

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

5 of 102 comments (clear)

  1. Seems like Microsoft don't learn from mistakes by Z00L00K · · Score: 4, Informative

    The Melissa mail worm seems to be forgotten, but there's a new generation of coders now that weren't even in school when that occurred.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  2. Doesn't seem like anything new by JaredOfEuropa · · Score: 5, Informative

    Years ago we were warned to turn off Outlook previews, for exactly this reason. Also, my copy of Outlook doesn't download or render attachments (or even images) unless told to, for every individual email. As far as I know, that is the default behaviour. The danger is that you can whitelist senders so that their attachments are downloaded without confirmation, and spammers often use commonly used email addresses as the originator.

    The summary is incorrect as well. FTA: "The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file." So you still need to click. The only exception is if your Outlook is set to always download attachments, show a preview, and if the malicious email is the last one to arrive, since the mail will then be shown in the preview window upon opening Outlook.

    Lastly, Flash needs to die

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. Already fixed by Anonymous Coward · · Score: 4, Informative

    Why doesn't the summary mention that this was fixed by an update released on patch tuesday dec 8?

  4. Re:So to summarise TFA... by climb_no_fear · · Score: 3, Informative

    * It's yet another flash bug,

    It is not just Flash. If you read the article more carefully, you would have seen this (from the article):

    We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects may be abused by attacker, as not only Flash but also a number of other OLE objects can be loaded in Outlook.

  5. Re:Ok. by NoNonAlphaCharsHere · · Score: 4, Informative

    I really don't understand why TFS starts with "A new bug in Outlook..." - after all, it's the SAME bug in Outlook -- since about 1997. Looks like the marketing department at Microsoft, in their endless desire for yet more whizzo shit has (potentially/inevitably) won yet another Pwnie Award. Whenever I see someone with a palm-shaped bruise on their forehead, I know they're a Windows sysadmin. This one reminds me of that Windows Explorer bug that executed arbitrary code from inside image (picture) files when you opened the directory they were stored in.

    "As if millions of voices cried out 'DUH!!!' and were suddenly silenced."