Windows Mail bug may expose Vista users

A possible security vulnerability in Windows Mail could let attackers run applications on PCs running Vista.

An attacker could send an e-mail with a malicious link that, when clicked on, would execute a program on the PC without warning, according to a description of the problem published Friday on a widely read security mailing list called Full Disclosure. Windows Mail is the successor to Outlook Express, Microsoft's free e-mail client, and ships with Vista.

Microsoft is investigating the issue, a company representative said in an e-mailed statement. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," the representative said.

Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said.

However, the risk is mitigated because Vista is not widely used, Marcus said. "I don't think they will see a lot of exploitation simply because there is so little Vista deployed," he said. "I think Microsoft would take this seriously and wrap this up in their next patch."

Vista has been available to consumers since late January. Since then, Microsoft has issued one security update for the operating system to repair a "critical" vulnerability in the scanning engine for Windows Defender, the built-in antispyware tool.

Microsoft is not aware of any attacks that actually attempted to use the newly reported Windows Mail vulnerability, it said. Upon completion of its investigation, the company could issue a security update or provide guidance in another way, the representative said.

[pgp_protector]

Vista Security

I wonder how much damage can this do IF.

IF the users haven't turned off Vista Program Protection. The little popups that everyone complains about. If the program that is ran can do any damage, they should receive a popup asking if they really want to run / do that action.

[Ahnospell44]

UAC

That program will more then likely be removed or stripped down as people begin to complain to much about it. I know that theres already a bypass somewhere out there that gets through UAC so...really protection is only in the mind.

[Penguinisto]

Depends...

Here's a dirty little secret: Malware doesn't necessarily need big n' bad privileges to do some serious damage.

Coupled with this little tidbit:
[i]"Painting to the screen is another action that is not blocked by UIPI. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window."[/i] *

...and one could theoretically paint an invisible window over the desktop that reads the information below that window, remains on top the whole time, and simply copies all data passing through it.

...et voila', UAC becomes pretty much useless at that point.

* ref'd from: http://msdn2.microsoft.com/en-us/library/aa480150.aspx

/P

[Microsoft_Facts]

E-mail viruses don't exisit, only Microsoft e-mail viruses

Have you ever heard of any e-mail virus that wasn't an Outlook/Exchange Virus? Why is it IT professionals refer to Microsoft's groupware server as Virus Exchange?

Why is it anyone would use Microsoft e-mail or Office products, when other products do not have these problems?

Now here we have yet another Microsoft e-mail virus opportunity. When will it end? Never. At least not while Microsoft continues to make e-mail products.

[spacydog]

There are non-MS e-mail solutions?

Really? Never heard of them. Hackers must assume the same as well.

[herby67]

Yes, 90% of them.

Email viruses started on Unix, and are still very popular in that platform despite the platform's little popularity as a desktop solution. You must be new to computers.

[jeromatron]

Windows Mail, the upgraded Outlook Express

Keep in mind that Windows Mail is just Outlook Express for Windows Vista. If you're looking for email viruses and other security holes, welcome to Windows Mail aka Outlook Express.

[Lindy01]

Dam

it must a be a slow news day. Are there any reports of actual people being hacked? Are there holes also found in other applications this week that might have slightly more maket share, therefore making it more of a danger...or ummm news story???

"Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said."

Let me re-write that for you Dave.... "Depending upon how much C4 was installed in your PC at the factory...or how much McAfee software you have loaded...your PC could either blow up or blue screen. Theoretically.....or more like realistically the success of products from MS like OneCare that are cheaper and less envasive to the users PC.....we will be out of buisness and so I must make up cr@p to scare people off.

Hahahahahahahhahahhahhah

[Penguinisto]

Sire... (hehe)

Hey, brain trust... all it takes is one phish/spam with a halfway convincing story and link, and *poof* - it spreads like any other email malware (reads address book, self-propagates, lodges itself in the registry, etc etc...)

/P

[dansterpower]

Damn, That is Bad Logic

I am constantly amazed at your blind defence of Vista.

Of course this hole is a danger.

It does not mean your new Vista box is "bad," it just means there
are real risks.

Why the negativity? The hate?

[Gayle Edwards]

VISTA - The most secure "Windows", yet...

Apparently, its greatest ACTUAL "security-strength" is, in reality, that NOBODY WANTS IT..?

However, its market-place weaknesses are...

Wait...

Whats the posting, character-count, limit again..?


SHEESH, our companys been testing "Vista" for many months now, and weve yet to see a single element of "Vista" (functionality, performance, consumer-rights, market-demand, pricing, third-party development, OR security) which isnt a disaster.

Thank goodness, we havent had ANY customers, what-so-ever, who actually want it.

[Stating]

Vista Is Less Un-secure

Vista is only less unsecure than other MS systems. It is not secure. Expecting it to be secure is like expecting to find Kosher bacon at your halal grocer.

[Mentor397]

Exactly why I wanted to keep express

This is EXACTLY why I wanted to keep Outlook Express. I could check my Hotmail, it had been around the block for a while and had time to be tested but noooooooo I have to 'upgrade' since I got a new computer with Vista... blah blah blah.

I can't think of anything else to say except 'I told you so'

[Stating]

Vendors Forcing The Public To Buy Vista

This is exactly why it is a bad idea for computer vendors to have eliminated the choice of buying new computers with Windows XP. They are doing their customers a disservice and it may come back to bite them big time.

[JustinUT79]

I Remember You

Oh... Now I remember you. Weren't you the one who posted the exact same comment when XP out and before XP when 2000 came out? :)

[rcrusoe]

No one is being forced to buy Vista

Many of us have been running stable, reasonably secure, computers for years. You can too.

http://www.apple.com/hardware/

http://www.dell.com/content/products/productdetails.aspx/precn_390?c=us&l=en&s=bsd&cs=04

[wbenton]

Report it as it is... not as Microsoft wants...

If it CAN be done... then there is no possibility to it... it's 100% possible.

As such, the "may expose" needs to be re-written as "exposes". Stop using passive tense and write in active tense!!!

Similar with "A possible security vulnerability" needs to be re-written in active voice as "a security vulnerability".

On a simlar note, "could let attackers" needs to be re-written as "lets attackers".

Is this "be kind to Microsoft week" or what? Report it AS IT IS... NOT AS MICROSOFT WISHES IT TO BE!!!

Walt

[ozidigga]

CNET are always kind to Microsoft

Spose they don't bite the hand that feeds them...the major Microsoft bugs don't even get reported by CNET but are often all over google news.

[ozidigga]

CNET are always kind to Microsoft

Spose they don't bite the hand that feeds them...the major Microsoft bugs don't even get reported by CNET but are often all over google news.

[herby67]

You know little about security, right?

It possibly can be done doesn't equal it can be done.
It might have been demonstrated, for example, that ther exists a buffer overrun, but not that it is exploitable. To be exploitable it would need to meet some other requirements such as predictability of the context in which it is run, which is not always the case.
The reporter used accurate language. Reporting it as you suggest would be showing bias. Which, obviously, you have.

[rmiecznik]

Vista does suck

It wouldn't even install on my machine, and I have a new computer
too, 1 year old, I get a hardware blue screen, something it chokes
on. XP runs great, this will be my last MS OS.

I already switched to Mac OS and Linux 2 years ago.