Microsoft Raises Threat Level of Outlook Hole

A day after issuing a fix for an Outlook 2002 vulnerability, Microsoft warns that another attack scenario makes the risk to users "critical."

Microsoft Corp. on Wednesday upped the severity of one of three security patches it issued a day earlier, warning that it discovered another attack scenario for a hole in Outlook 2002.

The Redmond, Wash., software maker increased the threat level of the Outlook security vulnerability to its highest level of four—"critical." The Outlook 2002 hole could let an attacker run malicious code on a users machine.

Microsoft originally had labeled the vulnerability as "important" and believed that attackers could only exploit the hole if users had set the Outlook Today folder as the default view for Outlook 2002, said Mike Reavey, a Microsoft security program manager.

After issuing a fix for the Outlook hole, as part of Microsofts March security bulletin releases, the company learned from the researcher who discovered the vulnerability that attackers could reach a wider number of users by forcing them into the view in order to run an exploit, Reavey said.

"It has the potential to affect users that are in any (Outlook 2002) view at all," he said.

The change in the security holes severity does not affect the actual fix that Microsoft issued, Reavey said, but lets users know that the risk is greater than originally thought.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.


Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif