A possible security vulnerability in Windows Mail could let attackers run applications on PCs running Vista.
An attacker could send an e-mail with a malicious link that, when clicked on, would execute a program on the PC without warning, according to a description of the problem published Friday on a widely read security mailing list called Full Disclosure. Windows Mail is the successor to Outlook Express, Microsoft's free e-mail client, and ships with Vista.
Microsoft is investigating the issue, a company representative said in an e-mailed statement. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," the representative said.
Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said.
However, the risk is mitigated because Vista is not widely used, Marcus said. "I don't think they will see a lot of exploitation simply because there is so little Vista deployed," he said. "I think Microsoft would take this seriously and wrap this up in their next patch."
Microsoft is not aware of any attacks that actually attempted to use the newly reported Windows Mail vulnerability, it said. Upon completion of its investigation, the company could issue a security update or provide guidance in another way, the representative said.
IF the users haven't turned off Vista Program Protection. The little popups that everyone complains about. If the program that is ran can do any damage, they should receive a popup asking if they really want to run / do that action.
Here's a dirty little secret: Malware doesn't necessarily need big n' bad privileges to do some serious damage.
Coupled with this little tidbit: [i]"Painting to the screen is another action that is not blocked by UIPI. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window."[/i] *
...and one could theoretically paint an invisible window over the desktop that reads the information below that window, remains on top the whole time, and simply copies all data passing through it.
...et voila', UAC becomes pretty much useless at that point.
E-mail viruses don't exisit, only Microsoft e-mail viruses
Have you ever heard of any e-mail virus that wasn't an Outlook/Exchange Virus? Why is it IT professionals refer to Microsoft's groupware server as Virus Exchange?
Why is it anyone would use Microsoft e-mail or Office products, when other products do not have these problems?
Now here we have yet another Microsoft e-mail virus opportunity. When will it end? Never. At least not while Microsoft continues to make e-mail products.
Email viruses started on Unix, and are still very popular in that platform despite the platform's little popularity as a desktop solution. You must be new to computers.
Keep in mind that Windows Mail is just Outlook Express for Windows Vista. If you're looking for email viruses and other security holes, welcome to Windows Mail aka Outlook Express.
it must a be a slow news day. Are there any reports of actual people being hacked? Are there holes also found in other applications this week that might have slightly more maket share, therefore making it more of a danger...or ummm news story???
"Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said."
Let me re-write that for you Dave.... "Depending upon how much C4 was installed in your PC at the factory...or how much McAfee software you have loaded...your PC could either blow up or blue screen. Theoretically.....or more like realistically the success of products from MS like OneCare that are cheaper and less envasive to the users PC.....we will be out of buisness and so I must make up cr@p to scare people off.
Hey, brain trust... all it takes is one phish/spam with a halfway convincing story and link, and *poof* - it spreads like any other email malware (reads address book, self-propagates, lodges itself in the registry, etc etc...)
Apparently, its greatest ACTUAL "security-strength" is, in reality, that NOBODY WANTS IT..?
However, its market-place weaknesses are...
Wait...
Whats the posting, character-count, limit again..?
SHEESH, our companys been testing "Vista" for many months now, and weve yet to see a single element of "Vista" (functionality, performance, consumer-rights, market-demand, pricing, third-party development, OR security) which isnt a disaster.
Thank goodness, we havent had ANY customers, what-so-ever, who actually want it.
Vista is only less unsecure than other MS systems. It is not secure. Expecting it to be secure is like expecting to find Kosher bacon at your halal grocer.
This is EXACTLY why I wanted to keep Outlook Express. I could check my Hotmail, it had been around the block for a while and had time to be tested but noooooooo I have to 'upgrade' since I got a new computer with Vista... blah blah blah.
I can't think of anything else to say except 'I told you so'
This is exactly why it is a bad idea for computer vendors to have eliminated the choice of buying new computers with Windows XP. They are doing their customers a disservice and it may come back to bite them big time.
It possibly can be done doesn't equal it can be done. It might have been demonstrated, for example, that ther exists a buffer overrun, but not that it is exploitable. To be exploitable it would need to meet some other requirements such as predictability of the context in which it is run, which is not always the case. The reporter used accurate language. Reporting it as you suggest would be showing bias. Which, obviously, you have.
It wouldn't even install on my machine, and I have a new computer too, 1 year old, I get a hardware blue screen, something it chokes on. XP runs great, this will be my last MS OS.
I already switched to Mac OS and Linux 2 years ago.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size-reader, and a great photo companion.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
IF the users haven't turned off Vista Program Protection. The little popups that everyone complains about. If the program that is ran can do any damage, they should receive a popup asking if they really want to run / do that action.
Coupled with this little tidbit:
[i]"Painting to the screen is another action that is not blocked by UIPI. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window."[/i] *
...and one could theoretically paint an invisible window over the desktop that reads the information below that window, remains on top the whole time, and simply copies all data passing through it.
...et voila', UAC becomes pretty much useless at that point.
* ref'd from: <a class="jive-link-external" href="http://msdn2.microsoft.com/en-us/library/aa480150.aspx" target="_newWindow">http://msdn2.microsoft.com/en-us/library/aa480150.aspx</a>
/P
Why is it anyone would use Microsoft e-mail or Office products, when other products do not have these problems?
Now here we have yet another Microsoft e-mail virus opportunity. When will it end? Never. At least not while Microsoft continues to make e-mail products.
"Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said."
Let me re-write that for you Dave.... "Depending upon how much C4 was installed in your PC at the factory...or how much McAfee software you have loaded...your PC could either blow up or blue screen. Theoretically.....or more like realistically the success of products from MS like OneCare that are cheaper and less envasive to the users PC.....we will be out of buisness and so I must make up cr@p to scare people off.
Hahahahahahahhahahhahhah
/P
Of course this hole is a danger.
It does not mean your new Vista box is "bad," it just means there
are real risks.
Why the negativity? The hate?
However, its market-place weaknesses are...
Wait...
Whats the posting, character-count, limit again..?
SHEESH, our companys been testing "Vista" for many months now, and weve yet to see a single element of "Vista" (functionality, performance, consumer-rights, market-demand, pricing, third-party development, OR security) which isnt a disaster.
Thank goodness, we havent had ANY customers, what-so-ever, who actually want it.
I can't think of anything else to say except 'I told you so'
<a class="jive-link-external" href="http://www.apple.com/hardware/" target="_newWindow">http://www.apple.com/hardware/</a>
<a class="jive-link-external" href="http://www.dell.com/content/products/productdetails.aspx/precn_390?c=us&l=en&s=bsd&cs=04" target="_newWindow">http://www.dell.com/content/products/productdetails.aspx/precn_390?c=us&l=en&s=bsd&cs=04</a>
As such, the "may expose" needs to be re-written as "exposes". Stop using passive tense and write in active tense!!!
Similar with "A possible security vulnerability" needs to be re-written in active voice as "a security vulnerability".
On a simlar note, "could let attackers" needs to be re-written as "lets attackers".
Is this "be kind to Microsoft week" or what? Report it AS IT IS... NOT AS MICROSOFT WISHES IT TO BE!!!
Walt
It might have been demonstrated, for example, that ther exists a buffer overrun, but not that it is exploitable. To be exploitable it would need to meet some other requirements such as predictability of the context in which it is run, which is not always the case.
The reporter used accurate language. Reporting it as you suggest would be showing bias. Which, obviously, you have.
too, 1 year old, I get a hardware blue screen, something it chokes
on. XP runs great, this will be my last MS OS.
I already switched to Mac OS and Linux 2 years ago.