Robert Lemos
CNET News.com
March 11, 2004

A security hole that Microsoft patched on Tuesday is more serious than first thought, the company says

Microsoft has raised the severity rating of an Outlook flaw to "critical," its highest level, after its initial analysis was challenged by the researcher who found the security hole.

The vulnerability in Outlook 2002, first publicised on Tuesday, when Microsoft released a patch, could allow an attacker to use a malicious Web site to cause an affected PC to download and execute a program.

When Microsoft released its fix, it said it believed that the attack could only be accomplished if a PC user had the "Outlook Today" folder as the default home page in Outlook 2002. Now, after being alerted by Jouko Pynonnen, the Finnish security researcher who found the flaw, it says the potential for attack is greater.

"After we released the bulletin, we were made aware that (the 'Outlook Today' restriction) could be gotten around by the attacker," said Stephen Toulouse, the program manager for Microsoft's Security Response Centre. Toulouse stressed that the patch provided to customers on Tuesday prevents any attack, even though the hole is larger than first thought.

It's the third time in the past 18 months that Microsoft has upgraded the severity of a security flaw. In December 2002, it upped two "moderate" vulnerabilities to "critical" status, after the researchers who found the holes cast doubt on Microsoft's initial classification.

Pynonnen said Microsoft had not notified him when the patch was planned for release, nor had the company told him how serious it considered the vulnerability.

"I didn't know the issue [was] going to be published this month," he said. Pynonnen added that if he had known, he would have done more research on the mitigating factors Microsoft had assumed.

Pynonnen warned on Wednesday that the vulnerability could be used by an attack to spread a virus through email messages sent to Outlook 2002 users.

Microsoft took more than seven months to patch the vulnerability, a delay that highlights the software giant's focus on quality over speed in its fixes. Some critics have suggested Microsoft should produce patches faster, but Microsoft's Toulouse said finding the full extent of flaws and eliminating patch problems are company focal points.

"We always try to figure out how broad the impact [of the flaw] will be and try to cover all the possibilities in the patch," he said.