OL2000: The Outlook View Control Exposes Unsafe Functionality

Microsoft has released an update that eliminates potential security vulnerability in Microsoft Outlook 2000. This update eliminates a security vulnerability that could allow certain scripts to run in conjunction with the Microsoft Outlook View Control.

The Outlook View Control is an ActiveX control that allows you to view Outlook e-mail folders in your Web browser. The control is not installed in Outlook 2000 by default, but was available as an ActiveX control download from Microsoft, and was released with Microsoft Outlook Team Folders 2000.

This security vulnerability is also described in the Microsoft Security bulletin, "Microsoft Security Bulletin MS01-038: Outlook View Control Exposes Unsafe Functionality," which is located at the following Microsoft Web site:

This article describes how to download and apply the update.

How to Download and Install the Update

Client Update:

If you installed Outlook 2000 from CD-ROM or from a network, follow these steps to download and install the client update.

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

1. Click the following hyperlink to the Microsoft Download Center:
   http://download.microsoft.com/download/outlook2000/outlctlx/1/WIN98Me/EN-US/outlctlx.exe (http://download.microsoft.com/download/outlook2000/outlctlx/1/win98me/en-us/outlctlx.exe)
2. Click Save this program to disk, and then click OK.
3. Click Save to save the Outlctlx.exe file to the selected folder.
4. In Windows Explorer, double-click Outlctlx.exe.
5. If you are prompted to install the update, click Yes.
6. Click Yes to accept the License Agreement.
7. Insert your Office XP CD-ROM when you are prompted to do so, and then click OK.
8. When you receive a message that indicates the installation was successful, click OK.

NOTE: After you install the update, you cannot remove the update.

Administrative Update:

An administrative version is not available for the Outlook View Control update. The Microsoft Office 2000 Resource Kit contains several options for deploying the client update in your enterprise environment. For more information, click the following link: If your Office 2000 installation was performed from an Administrative installation point and you are using Admin patches, you can still apply this client patch to your machines because it is not a Windows Installer patch. The ActiveX control mentioned in this article that this patch is designed for is not part of the original product so there is no reference to these files in the Data1.msi which will enable this patch to be distributed to the client machines.

How to Determine Whether the Update Is Installed

The update adds or replaces the Outlctlx.dll. Outlctlx.dll version will be updated to 10.0.0.3124.

Other Information

The Outlook View Control was never installed as a component of an Office or Outlook installation. If you have this ActiveX control installed on your computer it has been installed by using one of the methods outlined in the Microsoft Knowledge Base article Q281618. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
NOTE: You can install the Outlook View Control update even if you do not yet have the Outlook View Control installed on your computer. This ensures that you have the updated version of the ActiveX control installed on your computer so that you are protected in the event you utilize the control in the future.