Article ID: 303835 - View products that this article applies to.
This article was previously published under Q303835
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has released a workaround that eliminates security vulnerability in Outlook 2002. This workaround eliminates a security vulnerability that may allow certain scripts to run in conjunction with the Microsoft Outlook View Control.
This security vulnerability is described in the Microsoft Security bulletin, "Microsoft Security Bulletin MS01-038: Outlook View Control Exposes Unsafe Functionality," which is located at the following Microsoft Web site:
To resolve this problem, obtain the latest service pack for Microsoft Office XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/307841/EN-US/ )OFFXP: How to Obtain the Latest Office XP Service Pack
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in the Outlook 2002 Update: August 16, 2001.
The Outlook View Control is an ActiveX control that allows you to view Outlook e-mail folders on Web pages in Outlook 2002. The Microsoft Outlook E-mail Security update protects you from attackers who attempt to exploit the vulnerability in the Microsoft Outlook mail client. You can use the Microsoft Outlook View Control on Web sites that are outside the Outlook mail client. You could be enticed to visit a Web page that is controlled by someone with malicious intent, where the script or Hypertext Markup Language (HTML) code on the page could invoke the control. To address this problem until the patch is released, Microsoft recommends that you disable ActiveX controls in the Internet zone. When the patch is complete, Microsoft will re-release this article and provide information about where to obtain the patch and how to use it.
Outlook E-mail Security UpdateThe Outlook E-mail Security Update is automatically installed as part of Outlook 2002, and causes HTML messages to open in the Restricted Sites zone, where ActiveX controls are disabled by default.
To obtain the Outlook Email Security Update for other versions of Microsoft Outlook, go to the following Microsoft Web site:
How to Disable ActiveX Controls in the Internet ZoneUse the following steps to disable ActiveX controls:
Microsoft Windows 2000 Networks Using Active DirectoryYou can use Group Policy to automatically push the settings to all users the next time that they log on. To do this:
All Other Microsoft Operating SystemsUse the Internet Explorer Administration Kit Profile Manager to create an update package with the security settings that you want. After you do this, you can either use a Uniform Resource Locator (URL) or an AutoConfig URL (which should have been specified during the initial Internet Explorer setup) to automatically update the settings. For more information on the Internet Explorer Administration Kit Profile Manager, please view the following Microsoft Web site: