Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Outlook Crashing, and not asking for password

From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Wed, 19 Mar 2003 09:08:42 -0800
On some platforms, Outlook appears to use a separate process to actually
communicate with the server.  On Windows NT, that process is MAPISP32.EXE,
for example.  If outlook.exe dies but mapisp32.exe is still running, you
won't be prompted for login information when you restart Outlook.

I've never seen this happen under any other circumstances, and logging out
or rebooting should terminate mapisp32, and if you're in the habit of
leaving a physically-unsecured system unattended while logged in, you have
worse problems, so this probably isn't a vulnerability.  In any case,
Outlook is so crammed full of security holes that there's not much point in
worrying about this one.  Avoid Outlook if you can; if you're forced by a
foolish IT department (or the legacy of a former foolish IT department, in
my case) to use it, worry first about securing it against remote exploits.
(I've disabled HTML email, for example, and use an application firewall to
prevent Outlook from connecting to any system except the corporate Exchange
server.  Those two take care of a lot of the holes.)

Michael Wojcik
Principal Software Systems Developer, Micro Focus



-----Original Message-----
From: Elkhatib, Ahmad [mailto:khatib () engin umich edu] 
Sent: Wednesday, March 19, 2003 1:51 AM
To: vuln-dev () securityfocus com
Subject: Outlook Crashing, and not asking for password 


Hello List, 
 
I was using MS Outlook 2002 to check my email on an exchange 
server, and
when I tried to paste a long text message it crashed. Now that's not
surprising since Outlook is weird like that. The surprising 
part is that
when I got the dialog asking whether I want to report the 
error or not,
and restart Outlook; I chose to report, and then restart. At 
this point
it never asked me for my password again and just restarted Outlook and
logged back into my inbox. Is this expected behavior ? the 
fact that it
logged back into my inbox without asking for a password after 
it crashed
really worries me. 
 
any ideas ? comments ? 
 
-Ahmad
Previous By Date Next
Previous By Thread Next

Current thread: