More of this Feature • Overview

Related Resources • Microsoft Windows Security 101 • How To Configure IE Security • Poll: Should ISP's Block Viruses and Worms?

From Other Guides • Web Security • Email + IE = Flaw

Elsewhere on the Web • Microsoft Warns Windows Users About Flaw • Microsoft Security Bulletin MS03-008

Initially, the scope of this flaw sounds tremendous. However, any user running Outlook Express 6.0 or Outlook 2002 (Outlook XP) is protected from any emails containing exploit for this flaw. Users of Outlook 98 and Outlook 2000 who have applied the email security update are also protected. Many companies and ISP’s also only allow text-based email so HTML mail would not get through.

That eliminates a lot of the exposure at least on the email side, but it still doesn’t stop someone from executing malicious code by visiting the attacker’s web page. To protect yourself from these attacks you can either disable active scripting in Internet Explorer or apply the patch available from Microsoft (MS03-008). The problem with disabling active scripting is that it provides a lot of functionality to web sites and you may not be able to access certain sites or perform certain tasks without it.

Another caveat is that the attacker could only run programs in the context of the user. In English, this means that if the user does not have full administrative privileges, then neither will the attacker. The attacker would only be able to perform tasks or view files that the user can normally do as well. It is a good security practice to not log in with full administrative privileges for this very reason.

On the bright side, the anti-virus software vendors will probably be including detection for emails infected with this exploit soon and any web site that is infected will get shut down soon after it is discovered to contain malicious code so there doesn’t seem to be much risk of a virus or worm being able to take advantage of this.


Start of Article > Overview > Page 1, 2