iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > News > Security News > Emails May Exploit VML Flaw
Search:
[ news_security_news ]

Emails May Exploit VML Flaw



David Utter
Staff Writer
2006-09-21

SecurityProNews: Insider Reports Insider Reports RSS Feed


The Internet Explorer vulnerability in its Vector Markup Language rendering ActiveX control may be just as exploitable through email as it is from a malicious website.

While it will be easy enough for the typical PC user to avoid adult sites that may carry links to malicious code that could exploit IE's latest problem, that won't help against a potential email threat.

Microsoft's next patch update is not scheduled until October 10th, and only rarely does the company release an update out-of-cycle to address even critical problems. That philosophy may have to become more flexible, as exploits for vulnerabilities have been emerging faster and faster from attackers.

TechWeb cited Ken Dunham from security firm iDefense in highlighting the possibility of an email exploit becoming reality:

"The newest exploit works with e-mail," said Dunham. "We took the newest version of Outlook, all patched, and the exploit crashed it." With some help from iDefense researchers, however, the exploit was able to execute other code. That means e-mail clients that preview HTML messages using the IE rendering engine are at risk. Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code.

"You would be attacked immediately, as soon as the preview is rendered," said Dunham.
Disabling JavaScript in IE was recommended by Sunbelt Software as a way to mitigate the IE threat from the exploit. That should work for the email issue as well, due to Outlook's use of IE; shutting off the "preview pane" option is a good practice in general for IE. UPDATE! SunBelt's Alex Eckelberry said in an email that disabling JavaScript is no longer a valid mitigation of this exploit, as a new variation of the exploit is in the wild.

Those looking for options besides Outlook on their PCs may wish to consider either Mozilla's Thunderbird email client, or Opera's mail client that is built in to the company's web browser. Both options may be freely obtained online.

---
Tags: , ,

Add to Del.icio.us | Digg | Yahoo! My Web | Furl

Bookmark SecurityProNews -




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More news_security_news Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds