New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

Dreaming of an alternate universe.

How much better would the world be without Microcrap and Flash?
Pity, they are like a plague. Like Zombies. We don't seem to able to get rid of them.

Flash must be evil because HTML5 is so good?

[TheRealHocusLocus]

Lastly, Flash needs to die

Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be completely deconstructed and rewritten by the open source community using the most conservative style of programming, a system that forces a multi-person review of commits, hit with the best enumeration tools we have, so that arbitrary code execution is not possible? Which might be possible because processor speed has improved since it was first designed and the assembly level hacks that made it possible areno longer necessary? And when we are done, the worst thing that could ever happen is that someone might display goatse.cx inside a Flash window?

Instead of busting into the kitchen, grabbing pans off the wall and showing the chef how steak should be done, we sit at the table banging our forks and knives, shouting, "Down with meat!"

It's easy to make fun of Outlook, where with maliciously crafted embedded binary OLE blobs you can trigger exploits in many versions of Microsoft products. The faults lie in the products themselves not the Blob. But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

Re:Seems like Microsoft don't learn from mistakes

[Dr_Barnowl]

They install software that stops you writing to USB drives these days, to prevent corporate secrets being stolen.

important point, actually. Mail doesn't need code

[raymorris]

That's actually a valid and important point. Flash files are executable code. How many dozens of significant vulnerabilities have been caused Outlook running macros, Flash, Javascript, and other types of executables embedded in emails? Outlook has at least three or four programming languages it can run from emails.

  That's entirely unnecessary. Many people, including myself, have always used email clients that just read email - they don't, and can't, execute anything. If security is important to you, it makes sense to consider whether your email reader really needs to be able run code found within emails, whether your web browser needs to also be your desktop shell, as "a fundamental part of the Windows operating system", etc. There many are huge classes of vulnerabilities that can't happen if you choose software that simply does it's job, without hundreds of tangential features bolted on unnecessarily.