The fact that you can put a VBScript program inside an Outlook Form and have it execute—even if Outlook has been told not to run macros—has been raising red flags this week.

But in spite of what you may have read, that questionable behavior isn’t readily exploited.

There’s no gaping security hole to see here. Move along.Yesterday Richard Chirgwin at The Register wrote how a Pen-tester was able to get past Microsoft VB macro barriers.

The article points to research published late last week by etienne at Sensepost.

To make a long story short, yes it’s possible to write a VBScript program, attach it to an Outlook Form, and have the script do just about anything on a PC (“within the context of the logged-on user”) when the Form is used.To read this article in full or to leave a comment, please click here

Leave a Reply