Microsoft has reclassified as "critical" a security patch
for an Outlook vulnerability released last week as part of its
monthly security upgrade.
The move came just 24 hours after the upgrade was released when a
security expert demonstrated that the vulnerability was more
serious than Microsoft first thought. Microsoft issued a workaround
for businesses to enable users to disable the Outlook Today page on
their client e-mail systems,.
The "critical" classification means Microsoft now believes that the
security hole "could allow the propagation of an internet worm
without user action".
The reclassification will embarrass Microsoft, which has been
criticised for its move to issue monthly security patches.
Jouko Pynnonen, who discovered the serious nature of the threat and
brought it to Microsoft's attention, told Computer Weekly, "After
seeing Microsoft's bulletin I started investigating this
restriction and found a way that an attacker could work around it.
I notified Microsoft about this possibility, and they reclassified
the issue as critical."
Richard Brain, technical director at security systems company
ProCheckUp, said, "Threats being reclassified are not new but there
is a certain degree of embarrassment for Microsoft here, as the
retesting to discover the wider threat does not seem to have been
done initially by their own people.
"It may be time for Microsoft to completely rewrite its Outlook
system as the original code is now very old, going back to times
when internet threats were not as widespread."
Microsoft is encouraging users to download and install Office XP
Service Pack 3 or the security update as quickly as possible.