lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 26 Mar 2004 14:08:46 -0800
From: "Drew Copley" <dcopley@...e.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue


 

> -----Original Message-----
> From: Jeff Uslan [mailto:jeff_uslan@...akeasy.net] 
> Sent: Friday, March 26, 2004 10:49 AM
> To: jeff_uslan@...akeasy.net
> Subject: MS Outlook/Outlook Express Preview Pane Security Issue
> 
> 
> FYI 
> 
> 
> Just a reminder that if you are using anything but Outlook 
> 2003.  The HTML
> injection issues and other such exploits with just viewing 
> the preview pane
> have mostly been taken care of in the older versions but 
> issues are still
> popping up.  

'HTML injection issues and "other such exploits" with "justing viewing"
the email have been cropping up in older versions'... this does not mean
they will not happen in Outlook 2003.

There should definitely be some such bugs in Outlook 2003. There is a
lot of ground to cover where these situations could happen. (ie,
numerous message types, numerous automated functions -- just a lot of
code... and a past history... which gives us some probabilistic guess
about potential vulnerability.)

Outlook 2003 does provide numerous security enhancements, some which are
rather well hidden from users and a very nice Junk E Mail filter. Kudos
to them. [Though, they still have not figured out the simple task of
doing HTML email right. Or message threading. Another good indicator
there may be security bugs -- presence of poor or sloppy design issues
or non-security bugs.]

Outlook 2003 is not free, so expect it to be looked at later rather then
sooner by the larger body of security researchers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ