Sat, Mar 31, 2007
Unpatched Outlook and Web Security Vulnerability
A serious new, unpatched vulnerability in Microsoft Windows Animated
Cursor handling has been reported, and is being actively exploited.
This vulnerability allows arbitrary malicious commands to be executed
through simply viewing a web page or HTML/Rich Text email. Until this
vulnerability is patched, if you are using Outlook 2002 (service pack
1 or later), configure it to read email in plain text only. Outlook
Express, and earlier versions of Outlook, are still vulnerable to
exploitation even if reading email in plain text, so those versions
should be avoided altogether. Do not browse potentially unsafe web
pages. For more details and for updates on the status of this issue,
see htt
p://www.microsoft.com/technet/security/advisory/935423.mspx.
Malicious Email and Web Files Exploiting Microsoft Products
Since before the end of 2006, there have been a
number of unpatched vulnerabilities in Microsoft products, some of
them quite serious, that remain expoitable by email and/or the web.
Many of these vulnerabilities are being actively exploited. A summary
of these vulnerabilities is maintained by SANS Internet Storm Center (isc.sans.org) at
http://isc.sans.org/diary.html?storyid=1940
Some general recommendations for protecting oneself from malicious emails and web pages are as follows. Distrust Microsoft Office (Word, Excel, Powerpoint) email attachments that have not been solicited, even from people one knows (senders are easily forged). Read email in plain text wherever possible. Examine URLs in email messages for plausibility, and cut and paste them into one's web browser rather than merely clicking on them. If at all possible, avoid using Microsoft Outlook or Outlook Express for email, and Microsoft Internet Explorer as one's default web browser: use Internet Explorer only for trusted web pages that require it. Never browse the web or read email as an administrator; create and use a "limited user" for this so that any malicious command that may be executed will not have full access to the machine.
Unfortunately, following these recommendations will not provide complete protection. Only Microsoft can fix the flaws that are being exploited, and until they do, all users of the relevant products remain vulnerable. However, these may help reduce the risk.
![[Valid HTML 4.01 Transitional]](/support/security/valid-html401-blue.png){kind=small}
![[Valid RSS]](/support/security/valid-rss.png)
![[Valid Atom]](/support/security/valid-atom.png)