Article ID: 247638 - View products that this article applies to.
This article was previously published under Q247638
This article has been archived. It is offered "as is" and will no longer be updated.
For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/257824/EN-US/ )OL2000: Differences Between Outlook and Outlook Express
Microsoft has released a update that eliminates a security vulnerability in Outlook and Outlook Express. This vulnerability can allow a malicious e-mail message author to send a Hypertext Markup Language (HTML) e-mail message that, when opened, can read files on your computer. The malicious message cannot, however, add, change, or delete any messages. If this is coupled with other vulnerabilities, it can potentially be used in more advanced attacks. Only files that you can open in a browser window (such as .txt, .jpg, or .htm files) can be read by using this vulnerability. To read these messages, the malicious user must know or guess the full path and file name of every file that they want to read.
Additional information about this issue is available on the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms00-046.mspxYou can find frequently asked questions about this vulnerability on the following Microsoft Web site:
This behavior occurs because e-mail messages in the Hypertext Markup Language (HTML) format can create files that are stored outside of cache and they can therefore run in less restricted security zones.
The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
Download Q261255.exe now
Collapse this imageExpand this image
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Q261255.exe file contains the following files:
(http://support.microsoft.com/kb/119591/EN-US/ )How to Obtain Microsoft Support Files from Online Services
Error Message When You Try to Install the Security UpdateThis update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you install this update from the Microsoft Download Center:
Updates are available only for Microsoft Internet Explorer 5.01. Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, and 5, are also vulnerable to this issue, but if you run the update on a version of Internet Explorer earlier than Internet Explorer 5.01, you may receive the message that says the update is already installed on your computer. This update is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.
This update does not need to be installed on this system.
Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this update.
For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/164539/EN-US/ )How to Determine Which Version of Internet Explorer is Installed
Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5This issue is also resolved in Microsoft Internet Explorer 5.01 Service Pack 1 (SP1) and Microsoft Internet Explorer 5.5. If you want to install either of these versions, use one of the following methods:
Microsoft has confirmed this to be a problem in Outlook Express 4.x and 5.0x. The problem is resolved in Outlook Express 5.5.
Article ID: 247638 - Last Review: February 28, 2014 - Revision: 7.3