OLEXP: Patch Available for MHTML E-mail Vulnerability

If you open an e-mail message that was composed by a malicious e-mail author who used Multipurpose Internet Mail Extension Hypertext Markup Language (MHTML), files from the MHTML message may be placed in predictable locations on your hard disk. After the files are on your hard disk, the malicious e-mail message author can open these files that now run in the same security zone as those on your hard disk.

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft Internet Explorer 5.01 service pack that contains this fix.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.


The following files are available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Q261255.exe file contains the following files:

• Inetcomm.dll
• Msoe.dll
• Msoert2.dll

Error Message When You Try to Install the Security Patch

This patch may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you try to install this update from the Microsoft Download Center Web site: This patch is only available for Internet Explorer 5.01. Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, and 5, are also vulnerable to this issue; however, when you run the patch on a version of Internet Explorer earlier than Internet Explorer 5.01, you receive the following message: This patch is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.

Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this patch.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:

Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5

This issue is also resolved in Internet Explorer 5.01 Service Pack 1 (SP1) and Internet Explorer 5.5. To install either of these versions, use one of the following methods:

• Install Internet Explorer 5.01 SP1 from one of the following locations:
  http://www.microsoft.com/windows/ie/download/ie501sp1.htm (http://www.microsoft.com/windows/ie/download/ie501sp1.htm)
  -or-
  http://www.windowsupdate.com (http://www.windowsupdate.com)
• Install Internet Explorer 5.5 on any computer, except a Microsoft Windows 2000-based computer, from one of the following locations:
  http://www.microsoft.com/windows/ie (http://www.microsoft.com/windows/ie)
  -or-
  http://www.windowsupdate.com (http://www.windowsupdate.com)
  NOTE: If you install the patch on a Windows 2000-based computer, Internet Explorer 5.5 does not install upgraded Outlook Express components, and therefore does not eliminate the vulnerability. Windows 2000 users should install Internet Explorer 5.01 SP1.
  
  Windows 2000 users who have already installed Internet Explorer 5.5 and are concerned about this issue can remove Internet Explorer 5.5 by using the Add/Remove Programs tool in Control Panel, and then installing Internet Explorer 5.01 SP1.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

For additional information about MHTML or other features in Internet Explorer 5, click the article number below to view the article in the Microsoft Knowledge Base: