Microsoft Outlook 2003 Vulnerable to Critical IE Bug

A critical bug in the Internet Explorer (IE) browser also affects users of the Outlook 2003 e-mail client, making it much more serious than previously thought.

The vulnerability can be triggered when IE or Outlook 2003 processes Web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday by researchers at Sunbelt Software.

Sunbelt posted a workaround for the vulnerability.

Attackers have not yet begun exploiting the e-mail attack, but a handful of Web sites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

Only IE Thought Affected At First

Initially, researchers thought that only Internet Explorer was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language "shellcode" program in the VML tags, researchers have been able run unauthorized software on systems running the latest version of Outlook 2003.

This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

Easier to Target Victims with Outlook

To attack Internet Explorer, criminals would first need to trick users into visiting a malicious Web site. But with an Outlook attack, it becomes much easier to target a victim.

"All you have to do is send an HTML e-mail, and the user is hosed," said Eric Sites, Sunbelt's vice president of research and development.

Microsoft plans to patch the VML problem as part of its next set of security patches, due Oct. 10, but Sites believes that hackers may force the software vendor to rush out an early fix. "I think it will get bad enough that they will have to," he said.

Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, said Ken Dunham, the director of the iDefense Rapid Response Team.

Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, Dunham said.

Microsoft advises users who want to protect themselves to set Outlook to read e-mail messages in plain text format. The Microsoft advisory describes the problem in greater detail.

According to one researcher, Outlook 2003 should not be rendering VML code automatically, but the product appears to be vulnerable due to a second bug in Microsoft's software. "Some versions of Outlook will render VML despite the fact that they shouldn't," said Russ Cooper, a senior information security analyst with Cybertrust. "We should be raking Microsoft over the coals for this."

Sites agreed that "there seems to be a bug in the latest version of Outlook."

Microsoft executives were not immediately available to comment for this story.