Bug found in Windows Mail

Posted on Thursday, Mar 29 2007 @ 08:25 CEST by Thomas De Maesschalck
Earlier this week German security experts announced they've found the first bug in Windows Vista's new Windows Mail application.
The successor to Outlook Express links seamlessly with its predecessor's dubious reputation in matters of security. Just a few months after its official release, the first significant security problem has been uncovered: under certain circumstances, simply clicking on a link in an email can cause a program to be launched on the local computer.

A hacker going by the pseudonym Kingcope has reported on a security mailing list that this can be achieved by simply embedding a link to a local program in an email. If a directory with the same name as the executable program exists, the program will be executed by Windows Mail when the user clicks on the link without requiring any confirmation. A brief test at heise Security confirmed this. After creating a folder called calc in C:WindowsSystem32, clicking on a link to c:/windows/system32/calc? launched the calculator without any further user interaction.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments