Article ID: 283908 - Last Review: August 30, 2007 - Revision: 4.4

OLEXP: Patch Available for Malformed vCard Vulnerability

View products that this article applies to.
This article was previously published under Q283908

On This Page

Expand all | Collapse all

SYMPTOMS

Microsoft has released a patch that eliminates a security vulnerability that affects Outlook and Outlook Express. A malicious user can use the vulnerability to create a virtual business card (vCard); if the vCard is opened, the malicious user can use the vCard to take any action on the recipient's computer.

Outlook Express provides several components that Outlook uses if it is installed on a computer. One such component, which is used to process vCards, has an unchecked buffer. If a malicious user creates a vCard, edits the vCard to contain specially chosen data, and then sends the vCard to another user, either of following symptoms might occur if the recipient opens the vCard:
  • In less serious cases, the mail client stops responding when the recipient opens the vCard. If this occurs, the recipient can resume normal operation by restarting the mail client, and then deleting the mail that contains the vCard.
  • In more serious cases, the malicious user can cause the mail client to run code on the user's computer. This code can take any action that the malicious user wants; the actions that the code can take are limited only by the recipient's permissions on the computer.
This security vulnerability is mitigated by the need for the recipient to open the vCard. A vCard cannot be made to open automatically; therefore, the malicious user needs to entice the recipient to open the mail, and then open the vCard. As always, the best practice is to never open untrusted e-mail attachments. Because the component that contains the security vulnerability is included as part of Outlook Express, which is included as part of Microsoft Internet Explorer, the patch is specific to the version of Internet Explorer, rather than the version of Outlook Express or Outlook.
Back to the top

RESOLUTION

To resolve this issue, apply the patch that is described in this "Resolution" section. Although this vulnerability affects Outlook Express 5.01 and Outlook Express 5.5, this patch can only be applied to Outlook Express 5.5.

To successfully apply this patch, perform one the following steps (as applicable) before you apply the patch:
  • To successfully apply this patch on a computer that is running Microsoft Windows 2000, apply Internet Explorer 5.01 Service Pack 1 or Windows 2000 Service Pack 1.

    For additional information about Service Pack 1, click the article numbers below to view the articles in the Microsoft Knowledge Base:
    267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
    260910  (http://support.microsoft.com/kb/260910/EN-US/ ) How to Obtain the Latest Windows 2000 Service Pack
    NOTE: If you installed Internet Explorer 5.5 Service Pack 1 after you installed Internet Explorer 5.01 Service Pack 1 or Windows 2000 Service Pack 1, you can also successfully apply this patch on a computer that is running Windows 2000. For additional information about Internet Explorer 5.5 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:
    276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
  • To successfully apply this patch on a computer that is running Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows NT 4.0, apply Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 Service Pack 1. For additional information about Service Pack 1, click the article numbers below to view the articles in the Microsoft Knowledge Base:
    267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
    276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
  • To successfully apply this patch on a computer that is running Microsoft Windows Millennium Edition (Me), apply Internet Explorer 5.5 Service Pack 1.For additional information about Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:
    276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
Back to the top

Internet Explorer 5.5 with Service Pack 1

To resolve this problem, obtain the latest service pack for Internet Explorer version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
For your convenience, the individual patch is also available from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download Q283908.exe now (http://www.microsoft.com/windows/ie/downloads/critical/q283908/default.mspx)
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later: 
   Date        Time    Version         Size     File name   
   ---------------------------------------------------------
   01/15/2001  03:08p  5.50.4701.1500  454,928  Wab32.dll
NOTE: Due to file dependencies, this fix requires Microsoft Internet Explorer 5.5 Service Pack 1.
Back to the top

Internet Explorer 5.01 with Service Pack 1

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/ms01-012.mspx) to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download Q283908.exe now (http://www.microsoft.com/windows/ie/downloads/critical/q283908/default.mspx)
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later: 
   Date        Time    Version         Size     File name   
   ---------------------------------------------------------
   01/15/2001  03:08p  5.50.4701.1500  454,928  Wab32.dll
NOTE: Due to file dependencies, this fix requires Microsoft Internet Explorer 5.01 Service Pack 1.
International versions of this hotfix are now available for:
FR = French
ES = Spanish
DE = German
KO = Korean
JA = Japanese
CN = Chinese (PRC)
TW = Chinese (Taiwan)
These security fixes for wab32.dll apply to IE 5.5/SP1, IE 5.01, IE 5.01/SP1, IE 5.01/SP2. Wab32.dll from IE 5.5/SP1 and IE 5.01/SP2 are identical. In IE 5.5sp2, this fix is already included.

See below hotfix details and download information:

The hotfix installer for name for all International versions of this hotfix will be called Q283908.exe you can obtain it individually for each language above, but you may need to contact Microsoft directly to obtain these International versions of the hotfix.

The French version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:17   5.50.4701.1500  454,928  Wab32.dll
The Spanish version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:17   5.50.4701.1500  454,928  Wab32.dll
The German version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:15   5.50.4701.1500  454,928  Wab32.dll
The Korean version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:16   5.50.4701.1500  454,928  Wab32.dll
The Japanese version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:16   5.50.4701.1500  454,928  Wab32.dll
The Chinese (PRC) version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:15   5.50.4701.1500  454,928  Wab32.dll
The Chinese (Taiwan) version of this fix should have the following file attributes: 
Date        Time    Version         Size     File name   
------------------------------------------------------
01/26/2001  06:16   5.50.4701.1500  454,928  Wab32.dll
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.5 Service Pack 2.
Back to the top

MORE INFORMATION

For more information about this vulnerability, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms01-012.mspx (http://www.microsoft.com/technet/security/bulletin/ms01-012.mspx)
Back to the top
APPLIES TO
  • Microsoft Outlook Express 5.5
  • Microsoft Outlook Express 5.01 Service Pack 2
  • Microsoft Outlook Express 5.01 Service Pack 1
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 2000 Standard Edition
  • Microsoft Outlook 2000 Service Pack 1
  • Microsoft Outlook 98 Standard Edition
Back to the top
Keywords: 
kbbug kbfix kbgraphxlinkcritical kbie501presp2fix kbie550presp2fix KB283908
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations