Microsoft rushes to fix Outlook flaw

A vulnerability exists in Microsoft's Outlook software that could enable an attacker to easily gain control of a user's mailbox and run code or delete files.

The flaw, discovered by noted bug hunter Georgi Guninski, involves the Outlook View Control, an ActiveX component that enables users to view their mailboxes via the Web. It affects Outlook 98, 2000 and 2002, which ships with the new Office XP suite.

The View Control is only supposed to allow users to view messages or calendar entries, but an attacker need only entice a user into visiting a specially coded Web page in order to run the code to exploit the flaw, according to a bulletin released by Microsoft.

The hole could also be exploited if a user opened an HTML e-mail message containing the malicious code.

In a rare step, Microsoft issued its bulletin late last week even before it had a patch available for the problem. The patch is still under development.

In his bulletin disclosing the flaw, Guninski, who is renowned for uncovering numerous bugs in Microsoft software, listed a simple, if drastic, workaround until the patch is available: "Uninstall Office XP and Windows."

In May, Microsoft issued a bulletin warning that another ActiveX control in Outlook 2000, the office 2000 UA Control, could enable an attacker to carry out Office functions on the machine of a vulnerable user.

Microsoft is betting heavily on Office XP and the forthcoming Windows XP operating system and has stated that they will be the most secure software turned out by the company to date.

They are among the first products to hit the market since Microsoft began an in-house initiative to make security one of the centerpieces of its development process.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.