NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0150 Researcher Discloses Vulnerability in VISTA email Program:

A researcher recently disclosed details, along with exploit code, for a vulnerability in Windows Mail, the built-in email program within Windows VISTA operating system that succeeded Outlook Express, that can be used by an attacker to load malicious software onto a victim computer. The vulnerability can be exploited by tricking a user into clicking a malicious link embedded within an email. If the attacker includes a link that references a local executable, the program will be executed without an additional action necessary on the part of the user, whereas if the link points to a remote file, users are often presented with an additional warning. Microsoft's Security Response Center (MSRC) confirmed the vulnerability, but has not disclosed the timeline for a security patch to fix the flaw. The MSRC also indicated that the current threat appeared low since they were not currently aware of attacks exploiting the vulnerability. However, the report notes that due in part to the public disclosure of exploit code, along with the fact that the same researcher has previously advertised an "exploit- for-sale" web site, it is possible that attackers will soon start publicly exploiting the flaw. Security firm Symantec urged users not to click on links within unsolicited email and recommended that users also disable Hypertext Markup Language (HTML) within Windows Mail.

(ComputerWorld.com 26MAR07)

Last Modified: Sunday, 29-Apr-2007 15:30:21 EDT