Posted: Oct. 08, 2001

A bug in the Outlook View Control, a frequent component of corporate portals built with digital dashboard technology, allows an attacker to run arbitrary code on a remote computer by sending HTML e-mail to the computer's user or by luring the user to a Web page.

The Outlook View Control is an ActiveX control that allows users to view local Outlook folders (such as the Inbox) in a Web page. It is a common feature in portals, as it allows a page to display a user's Outlook data alongside other content.

Using the control, an attacker’s script in a Web page or HTML e-mail can delete or modify the user's Outlook data and execute any operating system command. A simple script that exploits this security hole has been posted to the Web.

All machines that have the control installed are vulnerable; it is installed by default with Outlook 2002 and Office XP, and is an optional install with Outlook 2000 and Office 2000. Most machines that run Office XP or have the Outlook E-Mail Attachment Security Update can't be attacked via e-mail; by default, these systems won't run scripts that arrive in HTML e-mails and so prevent attackers from exploiting the bug. These machines are still vulnerable to attacks at Web sites, however.

Microsoft has issued a patched version of the View Control and a hotfix to patch the control on machines where it is already installed. The patch disables some functions provided by the control, which could affect some Web Parts that use it. Further information and links to the downloads are available at www.microsoft.com/technet/security/bulletin/MS01-038.asp.