Outlook Control Enables Remote Takeover

A bug in the Outlook View Control, a frequent component of corporate portals built with digital dashboard technology, allows an attacker to run arbitrary code on a remote computer by sending HTML e-mail to the computer’s user or by luring the user to a Web page.

The Outlook View Control is an ActiveX control that allows users to view local Outlook folders (such as the Inbox) in a Web page. It is a common feature in portals, as it allows a page to display a user’s Outlook data alongside other content.

Using the control, an attacker’s script in a Web page or HTML e-mail can delete or modify the user’s Outlook data and execute any operating system command. A simple script that exploits this security hole has been posted to the Web.

All machines that have the control installed are vulnerable; it is installed by default with Outlook 2002 and Office XP, and is an optional install with Outlook 2000 and Office 2000. Most machines that run Office XP or have the Outlook E-Mail Attachment Security Update can’t be attacked via e-mail; by default, these systems won’t run scripts that arrive in HTML e-mails and so prevent attackers from exploiting the bug. These machines are still vulnerable to attacks at Web sites, however.