Vista’s Successor to Outlook Express Has a Security Issue
Outlook Express security was bad… in fact, you could say, “What security?” Vista’s big claim to fame is security… SECURITY! Yep. But… you knew there would be a “but.” It turns out the first big security issue with Vista Windows Mail has surfaced, and it is a doozy!
“The successor to Outlook Express links seamlessly with its predecessor’s dubious reputation in matters of security. Just a few months after its official release, the first significant security problem has been uncovered: under certain circumstances, simply clicking on a link in an email can cause a program to be launched on the local computer. A hacker going by the pseudonym Kingcope has reported on a security mailing list that this can be achieved by simply embedding a link to a local program in an email. If a directory with the same name as the executable program exists, the program will be executed by Windows Mail when the user clicks on the link without requiring any confirmation. A brief test at heise Security confirmed this. After creating a folder called calc in C:\Windows\System32\, clicking on a link to c:/windows/system32/calc? launched the calculator without any further user interaction. Up until to now, there has ben no real attack scenario to exploit this, and so the concrete danger is fairly low. Kingcope has listed two Windows programs, winrm and migwiz, for which the required directory already exists. But he admits that it was not possible to pass parameters to the programs, which significantly reduces the potential for targeted activities. But the simple fact that under certain circumstances clicking on a straightforward URL in an email can be sufficient to launch a local program without requiring confirmation from the user leaves an uncomfortable feeling. Many dangerous vulnerabilities in Outlook Express and Internet Explorer initially appeared to be similarly innocuous. And Microsoft will now be judged against the grandiose promises it made with regard to the security of Vista.”