Outlook flaw could expose networks to trojan horse

Microsoft has admitted that a 'feature' in Outlook and Outlook Express could expose networks to the worst virus risk ever seen.

The Melissa and Love Bug viruses were only prevented from doing too much damage because users could be warned not to open them. But according to NTBugTraq, which tracks security flaws, the Outlook feature means that a hacker could spike an email with a trojan horse and have it run without the user opening the email.

A NTBugTraq spokesman said the virus exploits a calculation that establishes the time the email was sent. When a user retrieves a message from the mail server, Outlook and Outlook Express work out the time it was sent in relation to the user's time zone. If a malicious user changes the code, Outlook can run a program while it is performing the calculation. This could run on the user's computer or could contain random data causing the email to crash.

Windows 95, 98 or NT users who have Outlook or Outlook Express can solve the problem by upgrading Internet Explorer to version 5.01 SP1 or 5.5.

However, Microsoft warned users of Windows 2000 not to upgrade to IE 5.5 as the Win2K version still contains the flaw. Switching to IE 5.01 SP1 will protect against the flaw until a patch is released at http://windowsupdate.microsoft.com.

A spokesperson for Microsoft said hackers were taking the functionality of programs and using it to their own advantage. "If they had the technology then that they have now, they would have destroyed Windows 95," he said.

Clive McAfferty, MD of security firm Advisor Technologies, said this showed the vulnerabilities in everyday programs. "Commercial software does a lot of things we find useful but which can be exploited. The in-depth checking for problems and back doors isn't happening in the same way it would for government software," he said.

The vulnerability was discovered by two separate parties, security firm Underground Security Systems Research and researcher Aaron Drew.