High risk flaw found in Outlook and Internet Explorer


High risk flaw found in Outlook and Internet Explorer

A flaw has been found in Microsoft's Internet Explorer (IE) Web browser and Outlook e-mail client that can leave systems open to malicious code inserted in e-mails or Web pages.

In an advisory, network security consultancy Pivx Solutions described the vulnerability as "extremely high risk". It said a hacker could run programs, read files, and steal cookies from a user's machine.

In testing, Pivx has demonstrated the flaw in IE 5.5 running on both Windows 98 and Windows NT and on IE6 running on Windows 2000. The flaw also affects the Outlook and Outlook Express e-mail clients. Pivx suggested a quick workaround for end users would involve disabling ActiveX, or setting "Script ActiveX controls marked safe for scripting" to Prompt or Disable within IE and the Outlook software.

The flaw occurs in the way the Microsoft software performs "cross domain security checks" on embedded HTML documents. According to Pivx, while Microsoft checks embedded HTML, it does not check when a Web browser ActiveX control is embedded within the HTML. This control could be used to take control of a user's PC.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy