FRAMINGHAM (07/31/2000) - What's up with the new bug that makes Outlook susceptible to e-mail viruses even if I don't open or read the e-mail?
The SANS Institute says Outlook and Outlook Express share a vulnerability that lets attackers run programs on your computer, and all you have to do is download e-mail from the server. Microsoft Corp. posted a patch at www.microsoft.com/technet/security/bulletin/ MS00-043.asp. SANS recommends blocking outgoing Windows File Sharing at the firewall.
Another issue is the Office HTML Script Vulnerability. Microsoft released MS00-049 to resolve two vulnerabilities in which a particular fragment of HTML code could cause an Excel 2000 or PowerPoint document to be saved to the user's system, which could execute a VBA code. This patch addresses a vulnerability whereby an Access database could execute commands on the user's system. The FAQ and patch are at www.microsoft.com/technet/security/ bulletin/fq00-049.asp. To fully address the Access problem, open Access without opening any databases, and assign a nontrivial password to the Admin user under the Tools/ Security/User and Group Accounts menu.
It was recently reported that Internet Explorer 5.X and Outlook are susceptible to a DHTML Control vulnerability that lets malicious Web sites or e-mails gain access to files on a user's system. To fix, disable active scripting until a patch comes out.
Blass is a network architect with Sprint Enterprise Network Services in Houston. He can be reached at firstname.lastname@example.org.