MS Outlook hole is more serious than first thought

News

MS Outlook hole is more serious than first thought

Antony Savvas
Microsoft has reclassified as "critical" a security patch for an Outlook vulnerability released last week as part of its monthly security upgrade.

The move came just 24 hours after the upgrade was released when a security expert demonstrated that the vulnerability was more serious than Microsoft first thought. Microsoft issued a workaround for businesses to enable users to disable the Outlook Today page on their client e-mail systems,.

The "critical" classification means Microsoft now believes that the security hole "could allow the propagation of an internet worm without user action".

The reclassification will embarrass Microsoft, which has been criticised for its move to issue monthly security patches.

Jouko Pynnonen, who discovered the serious nature of the threat and brought it to Microsoft's attention, told Computer Weekly, "After seeing Microsoft's bulletin I started investigating this restriction and found a way that an attacker could work around it. I notified Microsoft about this possibility, and they reclassified the issue as critical."

Richard Brain, technical director at security systems company ProCheckUp, said, "Threats being reclassified are not new but there is a certain degree of embarrassment for Microsoft here, as the retesting to discover the wider threat does not seem to have been done initially by their own people.

"It may be time for Microsoft to completely rewrite its Outlook system as the original code is now very old, going back to times when internet threats were not as widespread."

Microsoft is encouraging users to download and install Office XP Service Pack 3 or the security update as quickly as possible.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy