Home page logo

bugtraq logo Bugtraq mailing list archives

RE: SECURITY.NNOV: Outlook Express address book spoofing
From: "Matt Priestley" <mpriest () microsoft com>
Date: Mon, 11 Jun 2001 11:33:28 -0700

Mitigating the problem somewhat is the fact that if G1 & G2 already
correspond (which seems plausible given the attack scenario) there would
already be an entry for G2 in the contact list. In that case doesn't OE
pop up an arbitration dialog? That ought to give the user a clue that
something is amiss. They will have to choose "which" address to send to.

Personally at that point I would ask myself how I managed to get two
entries and check them a little more closely in order to select one.

-matthew Priestley
mpriest () microsoft com

Phone: 425-703-9478
Fax: 425-936-7329

-----Original Message-----
From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
Sent: Tuesday, June 05, 2001 4:09 AM
To: bugtraq () securityfocus com
Subject: SECURITY.NNOV: Outlook Express address book spoofing

Hello bugtraq,

sorry if this is already known - the bug is trivial.

Issue                   :  Outlook  Express  address  book allows
                           messages to be intercepted by 3rd party
Date Released           :  16 March 2001
Vendor Notified         :  16 March 2001
Author                  :  3APA3A <3APA3A () security nnov ru>
Affected                :  Outlook Exress 5.5SP1 and prior
Discovered              :  18 December 2000 by 3APA3A
Remotely Exploitable    :  Yes
Vendor URL              :  http://www.microsoft.com
SECURITY.NNOV advisories:  http://www.security.nnov.ru/advisories

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]