Outlook and IE bug spotted
new bug has been disclosed by eEye Digital Security. It is a buffer-overflow
flaw potentially allowing attackers to execute malicious code on a system. The
bug affects default installations of Outlook, Outlook Express and Internet Explorer
on Windows 2000 and Windows XP with Service Pack 1 installed, although eEye
said additional versions of Windows may also be affected.
According to Microsoft it is investigating the problem, and
may issue a fix in the future. The company said it isnt aware of any exploits
using the flaw. In order to minimise the danger from unpatched bugs, eEye doesnt
disclose more than the bare minimum of information on a flaw until it has been
patched or the vendor has tested a workaround.
Security researchers usually urge vendors to patch flaws
within a few weeks of the initial report, arguing that bugs can be detected
by potential attackers just as easily as by legitimate researchers. eEye alone
says it has nine bug reports awaiting patches from Microsoft, the oldest of
which dates from the end of March. Most are high-risk, affecting software such
as Internet Explorer, Outlook and system-level software. Information on advisories
can be found at http://www.eeye.com /html/research/upcoming/index.html.