A response from the Microsoft Security Response Center:

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

Microsoft Security Response Center [blogs.technet.com]

Note that IE6 is also a vector according to Secunia, and has been for quite awhile. This does lend some credence to the MS response, but if what they state is true, then Outlook Express needs to be fixed ASAP.

Jim

> [...] and has been for quite awhile. [...] Outlook Express needs to be fixed ASAP.

It's a (publicly-known) six-month-old issue, which means Microsoft needs another year to fix it.

I love the Demonstration:

"Your browser is vulnerable! We were able to order a pizza from Papa John's, so that's absolute proof that we could steal confidential data from your bank.

P.S. Sorry we don't actually demonstrate stealing info from your bank, but were totally confident it could happen tomorrow."

I've got bigger worries about my 14-year-old swiping a twenty out of my wallet while I'm in the shower... seems a lot higher priority than wringing my hands over this exploit.

This is quite an old exploit. And not the first time outlook has been a security problem.

then Outlook Express needs to be fixed ASAP.

I would almost swear that the IE blog initally referered to this is as a 3rd party object that is used in outlook express. Looking back at that blog entry now the 3rd party words are gone.

If it was a 3rd party vendor then I'll bet that vendor is feeling some pretty nice heat at the moment. If not then its somewhat interesting to see one MS team point to another team and say "its their bug"... The bug belongs to both teams, that's what happens when the os and the applications are tightly integrated.

There's a reason the software is called Lookout!:

> [...] outlook has been a security problem.

I ran the test on my machine, and it found IE6 vulnerable.

Thing is, I don't have Outlook installed.

As with many other Windows components, Outlook has it's tentecles deeply embedded.

Now, how to I COMPLETELY remove Outlook?

Now, how to I COMPLETELY remove Outlook?

You can't. Somehow like with IE they have been able to show that it is required by the OS.

Shouldn't the last half-dozen learned commentators figure out how to distinguish between Outlook and Outlook Express? They are different apps, with no connection between their code bases, with completely different data storage formats, from different development groups, and even shipped by different divisions of Microsoft. "Outlook Express" is a lightweight (but widely used) component shipped in MS Windows (like IE). "Outlook" is a major mail client (and calendar and life-manager) also for Exchange and webmail shipped as part of MS Office. The only point of connection is the names.

OK, how do I completely remove Outlook Express?

I don't use it, don't need it, don't want it. And, apparently, it's a security vulnerability to boot.

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Jim

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

The test for the vulnerability still fails. (Or succeeds, depending on your viewpoint...)

There is a complex manual removal procedure at the Microsoft website. It involves removing a large number of directories and registry keys. A number of spyware/adware removal tools also purport to completely remove Outlook Express.

I've done a bit more poking around, and I think that NEITHER of the characterizations of where the problem really lies (MSIE, Outlook Express) may be correct. I think this is a component further-embedded in Windows. A Symantec write-up on a similar problem suggest that disabling the mhtml handler may adversely affect the help system.

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

This won't ever work, you can't uninstall it, just like you can't uninstall IE. The OS requires it for some functionality. Although unistall instructions do exist some of the underlining layers will always be there including the mhtml handler.

[edited by: Demaestro at 10:11 pm (utc) on Oct. 23, 2006]

It is a defect in Internet Explorer as well as Outlook Express. Even though the actual bug is within a component of Outlook Express (which is installed by default in Windows), Internet Explorer is the *ONLY* browser that lets a webpage access and abuse that vulnerable OE component. Opera doesn't. Firefox doesn't. So, the problem is with Internet Explorer and Outlook Express. Microsoft could fix *either* program to solve this issue (though they should fix both).

This is a non event. This bug has been apparent for several months.

But that is like saying if someone looks over your shoulder then they could get your pin number at a cash machine.

If someone can post here with real-life experience of this bug affecting them then that would be worth talking about.

As it is you probably have more chance of winning the lottery - but that isn't newsworthy is it.

I am sick of this sort of stuff ending up on the front page of webmasterworld - please someone post an experience of being hacked/spoofed or something similar. Otherwise please choose something else to get news from - this is not it.

That's Brett told, then!

Rgds

Damon

By the way the only thing this item has been successful in is getting paranoid webmasters to check their vulnerability.

The other thing I would check is.. the Internet.

Being connected to the Internet may severely affect your security - the fix... don't browse the web, uninstall email software and web browsing software as well just in case they can get you using telepathy. Even better turn off your computer.

Sorry, just joking - but seriously don't panic it isn't a new problem and not one currently being exploited.

[edited by: KPosition at 10:36 pm (utc) on Oct. 24, 2006]

DamonHD, I was a bit harsh good point! But I love Brett - he knows that!

He is however very good at putting a spin on the news....