Exploiting Windows Mail Vulnerability Could Compromise PC
Windows Mail's possible security flaw might allow attackers to execute applications on computers running Vista. Windows Vista's e-mail program has just been found with a bug that hackers could use to inject malicious code onto a victim's PC, said a researcher with Symantec. Microsoft had introduced Windows Mail as a successor to Microsoft's free e-mail client, Outlook Express. Windows Mail works in the presence of Vista so published News.Zdnet on March 23, 2007.
Microsoft's Security Response Center (MSRC) team has given low importance to the latent risk. A company spokeswoman said that MSRC had not received any reports of attacks using the vulnerability. The Center was also not aware of any impact on customers. Computerworld published the spokeswoman's statement on March 23, 2007.
She also said that users must be extremely cautious about clicking on links coming through unsolicited e-mail whether from known or unknown senders. News.Zdnet published this on March 23, 2007.
Symantec explains how an attacker can compromise a PC by sending a malicious link via e-mail that instructs a local executable program. When a victim clicks on that malicious link it causes the native program to run. In this way suppose an attacker is able to execute "winrm.cmd", a local file that functions as the Windows Remote Management command-line tool, it would enable him to gain full access to the computer. Computerworld published this on March 23, 2007.
The command that the malicious link gives to Windows Mail determines how significant the threat would be to Vista users, said Dave Marcus, research and communications manager of security at McAfee.
However, since Vista has comparatively low usage, the risk becomes less severe. Marcus turned down the possibility of much exploitation owing to little deployment of vista. But he hoped Microsoft would understand the danger of the vulnerability and patch it in its next security bulletin. News.Zdnet published this on March 23, 2007.
Microsoft released Vista OS in late January for its consumers. Since then it issued only one fix to repair Windows Defender vulnerability. The flaw was "critical" for the anti-spyware tool built in that OS.
Related article: Exploiting BITS To Compromise Windows Update
» SPAMfighter News - 31-03-2007