March 23, 2007 1:59 PM PDT

Windows Mail bug may expose Vista users

Related Stories

Vista for the masses

April 4, 2007

Explaining a Vista ban

March 22, 2007

Microsoft probes possible IE 7 phishing hole

March 14, 2007

Microsoft patches 20 security flaws

February 13, 2007
A possible security vulnerability in Windows Mail could let attackers run applications on PCs running Vista.

An attacker could send an e-mail with a malicious link that, when clicked on, would execute a program on the PC without warning, according to a description of the problem published Friday on a widely read security mailing list called Full Disclosure. Windows Mail is the successor to Outlook Express, Microsoft's free e-mail client, and ships with Vista.

Microsoft is investigating the issue, a company representative said in an e-mailed statement. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," the representative said.

Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said.

However, the risk is mitigated because Vista is not widely used, Marcus said. "I don't think they will see a lot of exploitation simply because there is so little Vista deployed," he said. "I think Microsoft would take this seriously and wrap this up in their next patch."

Vista has been available to consumers since late January. Since then, Microsoft has issued one security update for the operating system to repair a "critical" vulnerability in the scanning engine for Windows Defender, the built-in antispyware tool.

Microsoft is not aware of any attacks that actually attempted to use the newly reported Windows Mail vulnerability, it said. Upon completion of its investigation, the company could issue a security update or provide guidance in another way, the representative said.

See more CNET content tagged:
attacker, Microsoft Windows Vista, security, Microsoft Corp., e-mail


Join the conversation!
Add your comment
Vista Security
I wonder how much damage can this do IF.

IF the users haven't turned off Vista Program Protection. The little popups that everyone complains about. If the program that is ran can do any damage, they should receive a popup asking if they really want to run / do that action.
Posted by pgp_protector (122 comments )
Reply Link Flag
Here's a dirty little secret: Malware doesn't necessarily need big n' bad privileges to do some serious damage.

Coupled with this little tidbit:
[i]"Painting to the screen is another action that is not blocked by UIPI. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window."[/i] *

...and one could theoretically paint an invisible window over the desktop that reads the information below that window, remains on top the whole time, and simply copies all data passing through it. voila', UAC becomes pretty much useless at that point.

* ref'd from: <a class="jive-link-external" href="" target="_newWindow"></a>

Posted by Penguinisto (5042 comments )
Link Flag
E-mail viruses don't exisit, only Microsoft e-mail viruses
Have you ever heard of any e-mail virus that wasn't an Outlook/Exchange Virus? Why is it IT professionals refer to Microsoft's groupware server as Virus Exchange?

Why is it anyone would use Microsoft e-mail or Office products, when other products do not have these problems?

Now here we have yet another Microsoft e-mail virus opportunity. When will it end? Never. At least not while Microsoft continues to make e-mail products.
Posted by Microsoft_Facts (109 comments )
Reply Link Flag
There are non-MS e-mail solutions?
Really? Never heard of them. Hackers must assume the same as well.
Posted by spacydog (380 comments )
Link Flag
Yes, 90% of them.
Email viruses started on Unix, and are still very popular in that platform despite the platform's little popularity as a desktop solution. You must be new to computers.
Posted by herby67 (144 comments )
Link Flag
Windows Mail, the upgraded Outlook Express
Keep in mind that Windows Mail is just Outlook Express for Windows Vista. If you're looking for email viruses and other security holes, welcome to Windows Mail aka Outlook Express.
Posted by jeromatron (103 comments )
Reply Link Flag
it must a be a slow news day. Are there any reports of actual people being hacked? Are there holes also found in other applications this week that might have slightly more maket share, therefore making it more of a danger...or ummm news story???

"Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said."

Let me re-write that for you Dave.... "Depending upon how much C4 was installed in your PC at the factory...or how much McAfee software you have loaded...your PC could either blow up or blue screen. Theoretically.....or more like realistically the success of products from MS like OneCare that are cheaper and less envasive to the users PC.....we will be out of buisness and so I must make up cr@p to scare people off.

Posted by Lindy01 (443 comments )
Reply Link Flag
Sire... (hehe)
Hey, brain trust... all it takes is one phish/spam with a halfway convincing story and link, and *poof* - it spreads like any other email malware (reads address book, self-propagates, lodges itself in the registry, etc etc...)

Posted by Penguinisto (5042 comments )
Link Flag
Damn, That is Bad Logic
I am constantly amazed at your blind defence of Vista.

Of course this hole is a danger.

It does not mean your new Vista box is "bad," it just means there
are real risks.

Why the negativity? The hate?
Posted by dansterpower (2511 comments )
Link Flag
VISTA - The most secure "Windows", yet...
Apparently, its greatest ACTUAL "security-strength" is, in reality, that NOBODY WANTS IT..?

However, its market-place weaknesses are...


Whats the posting, character-count, limit again..?

SHEESH, our companys been testing "Vista" for many months now, and weve yet to see a single element of "Vista" (functionality, performance, consumer-rights, market-demand, pricing, third-party development, OR security) which isnt a disaster.

Thank goodness, we havent had ANY customers, what-so-ever, who actually want it.
Posted by Gayle Edwards (262 comments )
Reply Link Flag
Vista Is Less Un-secure
Vista is only less unsecure than other MS systems. It is not secure. Expecting it to be secure is like expecting to find Kosher bacon at your halal grocer.
Posted by Stating (869 comments )
Link Flag
Exactly why I wanted to keep express
This is EXACTLY why I wanted to keep Outlook Express. I could check my Hotmail, it had been around the block for a while and had time to be tested but noooooooo I have to 'upgrade' since I got a new computer with Vista... blah blah blah.

I can't think of anything else to say except 'I told you so'
Posted by Mentor397 (73 comments )
Reply Link Flag
Vendors Forcing The Public To Buy Vista
This is exactly why it is a bad idea for computer vendors to have eliminated the choice of buying new computers with Windows XP. They are doing their customers a disservice and it may come back to bite them big time.
Posted by Stating (869 comments )
Reply Link Flag
I Remember You
Oh... Now I remember you. Weren't you the one who posted the exact same comment when XP out and before XP when 2000 came out? :)
Posted by JustinUT79 (1 comment )
Link Flag
No one is being forced to buy Vista
Many of us have been running stable, reasonably secure, computers for years. You can too.

<a class="jive-link-external" href="" target="_newWindow"></a>

<a class="jive-link-external" href=";l=en&#38;s=bsd&#38;cs=04" target="_newWindow">;l=en&#38;s=bsd&#38;cs=04</a>
Posted by rcrusoe (1305 comments )
Link Flag
Report it as it is... not as Microsoft wants...
If it CAN be done... then there is no possibility to it... it's 100% possible.

As such, the "may expose" needs to be re-written as "exposes". Stop using passive tense and write in active tense!!!

Similar with "A possible security vulnerability" needs to be re-written in active voice as "a security vulnerability".

On a simlar note, "could let attackers" needs to be re-written as "lets attackers".

Is this "be kind to Microsoft week" or what? Report it AS IT IS... NOT AS MICROSOFT WISHES IT TO BE!!!

Posted by wbenton (522 comments )
Reply Link Flag
CNET are always kind to Microsoft
Spose they don't bite the hand that feeds them...the major Microsoft bugs don't even get reported by CNET but are often all over google news.
Posted by ozidigga (77 comments )
Link Flag
CNET are always kind to Microsoft
Spose they don't bite the hand that feeds them...the major Microsoft bugs don't even get reported by CNET but are often all over google news.
Posted by ozidigga (77 comments )
Link Flag
You know little about security, right?
It possibly can be done doesn't equal it can be done.
It might have been demonstrated, for example, that ther exists a buffer overrun, but not that it is exploitable. To be exploitable it would need to meet some other requirements such as predictability of the context in which it is run, which is not always the case.
The reporter used accurate language. Reporting it as you suggest would be showing bias. Which, obviously, you have.
Posted by herby67 (144 comments )
Link Flag
Vista does suck
It wouldn't even install on my machine, and I have a new computer
too, 1 year old, I get a hardware blue screen, something it chokes
on. XP runs great, this will be my last MS OS.

I already switched to Mac OS and Linux 2 years ago.
Posted by rmiecznik (224 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.