Language Selection

English French German Italian Portuguese Spanish

Hackers probe Outlook Express flaw

Filed under
Microsoft

The risk of an attack related to a flaw in Microsoft Outlook Express climbed this week, after underground hacking sites began circulating sample code for exploiting it.

The exploit, which the French Security Incident Response Team drew attention to on Monday, is designed to take complete control of PCs with certain versions of the Outlook Express e-mail program installed on them, when users visit newsgroups controlled by the hackers.

But security experts said the risk of a widespread attack is low, because people must visit the malicious newsgroups for an attack to work. In addition, the exploit code that's in circulation has some glitches, said Michael Sutton, a lab director at security company iDefense.

It requires a reasonable amount of user intervention, which lowers the overall risk," Sutton said.

Nonetheless, iDefense urges people with vulnerable machines to install the patch Microsoft released last week to fix the flaw. The problem stems from a component of Outlook's newsreader program called Network News Transfer Protocol. The result of an attack could be serious.

"An attacker could install programs; view, change or delete data; or create new accounts with full user rights," Microsoft warned in a security bulletin for the patch last week. The company rated the vulnerability "important," which falls second to "critical" in its rating scale.

A Microsoft representative said the company is aware of the exploit code but is unaware of active attacks that have utilized it. Microsoft is monitoring the situation and is urging customers to apply its patch, the representative said. The company also directed people to report any attacks to Microsoft and the FBI.

The vulnerability has been found in several versions of Outlook Express, including releases 5.5 and 6.0 for Windows 2000, XP and Server 2003 machines, according to Microsoft. People don't have to launch the Outlook Express program, however, in order to fall victim to an attack.

Source.

More in Tux Machines

Vector Linux 7.1 Light

If you find yourself needing a new firefox but your computer and glibc is too old, Vector Linux 7.1 light will fit the bill. People who are more comfortable with a SysV style init over systemd will breathe a sign of relief. All in all VL 7.1 is a viable choice for users who wish to continue using their older computers with a modern web browser. Read more

Ubuntu Touch OTA-9.5 Hotfix on Its Way to Fix the Big Mir Issue on Ubuntu Phones

Canonical's Łukasz Zemczak today informs us that the Ubuntu Touch development team is considering and preparing to release the promised OTA-9.5 hotfix to Ubuntu Phones users to fix the big Mir issue that made users' smartphone unstable. Read more

Open Source Desktop: Good News and Bad News

The good news is that open source has become the leader on the desktop. The bad news is that a single desktop is not the leader, and that leadership on the desktop may no longer matter. Obviously, the first statement needs qualifications. It clearly does not refer to the number of users, since officially Linux has yet to break 2%, although, depending on your logic, the actual figure might be several times higher. Read more

KDE Applications 16.04 Release Schedule

The release schedule for the upcoming KDE Applications 16.04 bundle has been firmed up. The approved release schedule puts the KDE Applications 16.04 release on 20 April, while leading up to that is the dependency freeze on 16 March, the 16.04 freeze and beta release on 23 March, and the release candidate on 6 April. Read more