Problem is Outlook still suffers from the problem where if you get HTML messages, it's all too happy to download images off the internet for you to finish the message. One can only imagine how this could be used by spammers and others who seek to advertise via e-mail. "Oh, look. A hit on my webserver. Guess he/she/it read my e-mail. I can now spam them forever."

Although that feature MAY have some good uses, it's too easy to abuse. Probably a worse one is by default Outlook will run all javascript/vbscript embeded in HTML (although not with full permissions), and activex controls. And the "Restricted" zone doesn't really disable them either. This is just bad design, and I have far less tolerance for bad design than for simple buffer overflow errors.

Besides the fact this isn't the first buffer overflow in Outlook -- there used to be a long filename overflow, and there was a scriptlet.typelib/eyedog problem, which is responsible for a much more serious problem that IS happening -- the kak worm infecting OE everywhere.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/62/2680#2680