There is a security vulnerability in several Microsoft Corp. products that run on the Macintosh platform that researchers say could be fertile ground for the development of a worm.
The flaw is a buffer overflow associated with the way that the applications handle a lengthy subdirectory in a particular file. It affects Internet Explorer 5.1 on the Mac OS 8, 9 and X; Outlook Express 5.0.2; Entourage 2001 and X; PowerPoint 98, 2001 and X; Excel 2001 and X; and Word 2001.
If an Outlook Express or Entourage user opened an e-mail message containing the exploit code, his machine would be compromised; in Internet Explorer, the user would need to click on a link in order for the attack to work, said Matt Conover, a member of w00w00 Security Development, which issued an advisory late Monday about the flaw.
After the exploit code is resident on a machine, it could download from the Web a program of the attackers choice, which in turn could do any number of things, including deleting files.
“The worm potential comes from the exploit reading off the contact list and sending itself to all the contacts,” Conover said. “This is even easier to exploit than ILOVEYOU because users had to open an attachment for that. Here a victim only needs to attempt to read the e-mail.”
The vulnerability was first discovered by researchers with Angry Packet Security, who reported it to Microsoft in January. The company failed to respond to the advisory, so the researchers, along with members of w00w00 Security Development planned to release their information on Feb. 17.
Once Microsoft officials saw the scope of the problem, they asked for more time to develop patches and w00w00 delayed its advisory until now.
Conover said that writing shell code to exploit the vulnerability is a simple task and that it may not be long before someone attaches such code to a worm.
“This is another vulnerability with potentially far-reaching consequences. In the case of Entourage, it has the potential for a worm, with the magnitude depending on how many people actually use Entourage,” he wrote in w00w00s advisory.
Entourage replaced Outlook for Mac in the new Office v. X suite.
