High risk flaw found in Outlook and Internet Explorer

News

High risk flaw found in Outlook and Internet Explorer

A flaw has been found in Microsoft's Internet Explorer (IE) Web browser and Outlook e-mail client that can leave systems open to malicious code inserted in e-mails or Web pages.

In an advisory, network security consultancy Pivx Solutions described the vulnerability as "extremely high risk". It said a hacker could run programs, read files, and steal cookies from a user's machine.

In testing, Pivx has demonstrated the flaw in IE 5.5 running on both Windows 98 and Windows NT and on IE6 running on Windows 2000. The flaw also affects the Outlook and Outlook Express e-mail clients. Pivx suggested a quick workaround for end users would involve disabling ActiveX, or setting "Script ActiveX controls marked safe for scripting" to Prompt or Disable within IE and the Outlook software.

The flaw occurs in the way the Microsoft software performs "cross domain security checks" on embedded HTML documents. According to Pivx, while Microsoft checks embedded HTML, it does not check when a Web browser ActiveX control is embedded within the HTML. This control could be used to take control of a user's PC.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy