Microsoft issued two advisories on 20th November 2002. It appears however that the vulnerabilities STILL exist to a certain extent.
MS02-065 regarding vulnerabilities RDS / MDAC
Microsoft has stated that the previous version of MDAC may be reactivated by an attacker, the reason is that the Kill Bit has not been set. This allows an old component to be reactivated - without any warning, thus the vulnerability may still be exploited.
MS02-066 regarding a cumulative patch which closed numerous vulnerabilities. This should apparently have fixed the issue which allowed malicious websites to execute executable files in the local security zone. This is however still possible, what has been closed is another vulnerability which made it possible to pass arguments to the executable file.
It is also still possible to read contents of the clipboard as well as writing new contents to it.
Microsoft has known about these vulnerabilities at least since 22nd October 2002
Solution: Outlook and Outlook Express are not vulnerable IF you have deployed "Outlook Email Security Update" or run Outlook 2002 or Outlook Express 6.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Microsoft vulnerabilities not fixed
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.