On CHOW: Can I bail from this party?
BNET Business Network:
BNET
TechRepublic
ZDNet
52 TalkBacks

By Robert Lemos
Posted on ZDNet News: Mar 10, 2004 9:37:00 PM

Microsoft has raised the severity rating of an Outlook flaw to "critical," the highest level, after its initial analysis was challenged by the researcher who found the security hole.

The vulnerability in Outlook 2002, first publicized on Tuesday, when Microsoft released a patch, could allow an attacker to use a malicious Web site to cause an affected PC to download and execute a program.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

When Microsoft released its fix, it said it believed that the attack could only be accomplished if a PC user had the "Outlook Today" folder as the default home page in Outlook 2002. Now, after being alerted by Jouko Pynonnen, the Finnish security researcher who found the flaw, it says the potential for attack is greater.

"After we released the bulletin, we were made aware that (the 'Outlook Today' restriction) could be gotten around by the attacker," said Stephen Toulouse, the program manager for Microsoft's Security Response Center. Toulouse stressed that the patch provided to customers on Tuesday prevents any attack, even though the hole is larger than first thought.

It's the third time in the past 18 months that Microsoft has upgraded the severity of a security flaw. In December 2002, it upped two "moderate" vulnerabilities to "critical" status, after the researchers who found the holes cast doubt on Microsoft's initial classification.

Pynonnen said Microsoft had not notified him when the patch was planned for release, nor had the company told him how serious it considered the vulnerability.

"I didn't know the issue (was) going to be published this month," he said. Pynonnen added that if he had known, he would have done more research on the mitigating factors Microsoft had assumed.

Pynonnen warned on Wednesday that the vulnerability could be used by an attack to spread a virus through e-mail messages sent to Outlook 2002 users.

Microsoft took more than seven months to patch the vulnerability, a delay that highlights the software giant's focus on quality over speed in its fixes. Some critics have suggested Microsoft should produce patches faster, but Microsoft's Toulouse said finding the full extent of flaws and eliminating patch problems are company focal points.

"We always try to figure out how broad the impact (of the flaw) will be and try to cover all the possibilities in the patch," he said.

The fix for the security hole can be downloaded through Microsoft's Download Center or by applying Service Pack 3 for Office XP, which was released on Tuesday.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 52 Talkback(s)
Just repeating what I've heard CIO's and other execs say
Some have also said that Linux and other open source software is "anti-business" and "mostly written by academic socialists who never left school" (a direct quote from the CIO of a retail company I co... (Read the rest)
Posted by: jfrankcarr Posted on: 03/12/04 You are currently: a Guest | | Terms of Use
7 months for a critical patch...  jstead1 | 03/10/04
Message has been deleted.  Bobby Sskcat | 03/10/04
yes a while in the making  Monkey_MCSE | 03/10/04
m$, shame on you!  stephen732@... | 03/10/04
Just waiting....  FreeBSD | 03/10/04
Windows is a hole  middle of nowhere | 03/10/04
Take a look at Thunderbird  Nigel Johnstone | 03/10/04
Outlook flaw  Gungnir | 03/10/04
Anyone who uses Outlook deserves what he/she gets  emartin_z | 03/10/04
Thank you - yes I do get...  Confused by religion | 03/10/04
real hard to believe  Monkey_MCSE | 03/10/04
Why is that?  Confused by religion | 03/10/04
Very close to my experience  jfrankcarr | 03/11/04
Actually I think you are wrong  voska | 03/11/04
Just repeating what I've heard CIO's and other execs say  jfrankcarr | 03/12/04
I agree  d_jedi | 03/11/04
I disagree  Iain_Peters | 03/11/04
OSS Boards  bit_rot | 03/11/04
Not my experience..  d_jedi | 03/11/04
Yes, I have read it and quote it on occasion...  Confused by religion | 03/12/04
I've had good respons on OSS boards  voska | 03/11/04
Agreed  GeoFrank | 03/11/04
What do you think Ahnold would say....  Jose Jimenez | 03/10/04
she's just a migrant farm worker on a mountain side vinyard  stephen732@... | 03/10/04
Ahnold does not control my personal time  Confused by religion | 03/10/04
Send my your hard drive  middle of nowhere | 03/10/04
You're kidding, right?  Confused by religion | 03/11/04
Who owns who?  NT Admin | 03/11/04
How is the weather where you are?  Confused by religion | 03/11/04
A word of advice  NT Admin | 03/11/04
I disagree  rapson | 03/11/04
Outlook = Bloatware  Chad_z | 03/10/04
and?  DarthRidiculous | 03/11/04
But which 20%?  rapson | 03/11/04
my guess:  ryusen | 03/11/04
No argument there  rapson | 03/11/04
it really depends  ryusen | 03/11/04
All the kings money and all the kings men couldn't put the code together  DonnieBoy | 03/10/04
Outlook Worst Email program!  DragonBRockin | 03/10/04
Confused  Test Subject | 03/11/04
The start of a crossplatform antivirus anti trojan program.  nite_w0lf | 03/10/04
Gross Incompetence  Immanuel Tranz-Mischen | 03/10/04
Nobody can harm MS more  michael-t | 03/10/04
Outlook flaw a risk?  IT Christian | 03/10/04
COM ON BOYS --NOT SO ROUGH!!!  suiitor | 03/10/04
BillyBob Gates; All About Mo' Money - not Fixin's  brenthawkinsmd | 03/10/04
If Outlook is such a problem why doesn't someone sue Microsoft .....  vance@... | 03/11/04
The EULA prevents it  jfrankcarr | 03/11/04
re: The EULA prevents it  Iain_Peters | 03/11/04
The major example involving Microsoft  jfrankcarr | 03/11/04
Simple, you agreed not sue when you accepted the license agreement  voska | 03/11/04
Okay, once more with a little comprehension:  Confused by religion | 03/11/04

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here