Yes, i have. I take into the consideration if the risk outweighs the
convenience - this includes considering how prevalent the exploit is and
whether it's likely to become widespread and if other actions will help to
negate the issue. So many of the recent bulletins require user interaction -
when a user needs convinced to go to a specific site, download something, or
do any other action based on what an email says, they are going to have a
lot more problems than just ones caused by the exploits. That makes the
exploit less than critical IMHO. In this case, the risk to the average user
is low. Why? Read the mitigating factors:
..In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker could also attempt to compromise a Web site to have it serve up a
Web page with malicious content attempting to exploit this vulnerability. An
attacker would have no way to force users to visit a Web site. Instead, an
attacker would have to persuade them to visit the Web site, typically by
getting them to click a link that takes them to the attacker's site or a
site compromised by the attacker.
There's that old 'user intervention' thing...
..By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 2000
opens HTML e-mail messages in the Restricted sites zone if the Outlook
E-mail Security Update has been installed. Outlook Express 5.5 Service Pack
2 opens HTML e-mail messages in the Restricted sites zone if Microsoft
Security Bulletin MS04-018 has been installed. The Restricted sites zone
helps reduce attacks that could attempt to exploit this vulnerability.
Outlook has been somewhat protected from this since the security update
released in June 2000. This is 2005... there is no excuse to not have
Outlook protected. OL98 is at risk, but we've said all along that it's the
least secure of all versions... those users should definitely use Chilton
preview until they upgrade. OL97 is 100% safe from this an other HTML risks,
unless the user opens an HTML attachment.
The risk of attack from the HTML e-mail vector can be significantly reduced
if you meet all the following conditions:
..Apply the update that is included with Microsoft Security Bulletin MS03-040
or a later Cumulative Security Update for Internet Explorer.
..Use Internet Explorer 6 or later.
..Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in
its default configuration.
There's that thing about keeping programs up-to-date again.
The easiest way to reduce your risk is to stay off questionable sites
(especially porn and warez sites) and keep AV and your other software up to
date.
Anyone who is worried but wants to use preview can enable plain text in the
preview or use Chilton preview - it's no more '3rd party' than pocketknife
peek and makes reading mail much faster than PP. Me? I'm not shaking in my
shoes over this one and I certainly won't recommend anyone disable preview
to prevent it - i will tell them to make sure they have the latest patches
for their versions because they are still at risk if they disable preview
but open the message.
--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)
Join OneNote Tips mailing list:
http://www.onenote-tips.net/
Diane have you seen this?
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:
A remote code execution vulnerability exists in the way that cursor,
animated cursor, and icon formats are handled. An attacker could try to
exploit the vulnerability by constructing a malicious cursor or icon file
that could potentially allow remote code execution if a user visited a
malicious Web site or viewed a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of an
affected system.
Now do you believe that Previewing a "malicious e-mail message" is
sufficient to avoid this? I suggest NOT. And I suggest that Microsoft
although probably would tell us one way or the other won't. Sure go ahead
and install the security update. But that's today. Which has been my point
all along. Don't preview and you don't have to worry about it. Pretty
simple.