Confusion and, according to Microsoft, inaccuracy and misinformation surrounds a vulnerability in the Outlook Internet Explorer 5 (IE5) combination and the patch issued by Microsoft to remedy it.
The bug — the latest of several discovered — permits executable code to be hidden in an HTML email message or web page. In email the code is inserted in the form of an attachment, which is invisible to the recipient, and which is brought into action as the email is previewed in Outlook.
The recipient does not need to open the attachment, as is necessary in earlier email transmitted viruses, making the flaw considerably more dangerous.
“A flaw exists [in IE5] in the type of processing that is specified for certain unusual MIME types,” Microsoft says in a security bulletin.
“If an attacker created an HTML email containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the email.”
The email content and attachment could also be hidden on a web page and the victim induced to visit that site, Microsoft says.
US-based content security specialist GFI says in a bulletin about the bug that a patch that partially fixes the vulnerability has been issued, but says it is not a total solution.
GFI Asia-Pacific director Richard Rundle says the patch stops the HTML element from opening live, “but all you have to do to get round that is save it and open it later. All Microsoft’s achieved is to shift the blame from Outlook to the filing system — which is probably its too.”
Such an email or web page should be blocked at the server, he says.
Microsoft disputes a story in the online version of Wired magazine, which suggests there is a “glitch” in the patch which renders it less than completely effective.
“Microsoft has not issued [any] statement [warning users about any ‘glitch’], nor has the security bulletin been modified,” says Microsoft.
However, Microsoft does include in the original notice a “caveat”: “If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and reinstall the patches.”