[24989] in bugtraq
RE: More Office XP problems
daemon@ATHENA.MIT.EDU (Leonard Chung)
Fri Apr 5 22:07:03 2002
From: "Leonard Chung" <leonardc@cs.berkeley.edu>
To: <guninski@guninski.com>, "Ben Schorr" <bms@hawaiilawyer.com>
Cc: "'BUGTRAQ@SECURITYFOCUS.COM'" <BUGTRAQ@securityfocus.com>
Date: Thu, 4 Apr 2002 22:53:37 -0800
Message-ID: <HHEKIBIGHICPGLHFMKKJKENGCNAA.leonardc@cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <3CAC2FA7.6050005@guninski.com>
>This is the default option on Outlook, I believe.
The default for Outlook is actually to use the Outlook editor and NOT the
Word editor for all previous versions of Outlook (Outlook 2000 and Outlook
97).
I doubt MS changed the default for Outlook XP as Outlook is supposed to be a
standalone e-mail/PIM that doesn't require Word.
Leonard
-----Original Message-----
From: Georgi Guninski [mailto:guninski@guninski.com]
Sent: Thursday, April 04, 2002 2:49 AM
To: Ben Schorr
Cc: 'BUGTRAQ@SECURITYFOCUS.COM'
Subject: Re: More Office XP problems
Ben Schorr wrote:
> Worth noting that this problem (the Outlook part anyhow) appears to
actually
> be a Word vulnerability in that it only affects people who use the
WordMail
> editor. People who use the default Outlook editor are apparently not
> affected by the forward/reply vulnerability.
>
> http://www.slipstick.com for more info.
>
> That's not to suggest that it isn't a vulnerability that shouldn't be
fixed
> - just that there appears to be a fairly easy workaround and not all users
> are affected to begin with.
>
This is the default option on Outlook, I believe.
> To work-around this problem in Outlook go to Tools | Options | Mail Format
> and uncheck the boxes for "Use Word to..." That will cause Outlook to use
> it's own native editor for such things and shuts the window on this
exploit.
>
While this will prevent the reply/forward issue, it won't help if one
receives and opens .doc or .xls attachment with the bug, will it?
That's why I suggest uninstalling/deleting as much buggyware as one can.
Georgi Guninski
http://www.guninski.com
