The Outlook View Control exposes a security vulnerability in Outlook 2002

Microsoft has released a workaround that eliminates security vulnerability in Outlook 2002. This workaround eliminates a security vulnerability that may allow certain scripts to run in conjunction with the Microsoft Outlook View Control.

This security vulnerability is described in the Microsoft Security bulletin, "Microsoft Security Bulletin MS01-038: Outlook View Control Exposes Unsafe Functionality," which is located at the following Microsoft Web site:

To resolve this problem, obtain the latest service pack for Microsoft Office XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in the Outlook 2002 Update: August 16, 2001.

The Outlook View Control is an ActiveX control that allows you to view Outlook e-mail folders on Web pages in Outlook 2002. The Microsoft Outlook E-mail Security update protects you from attackers who attempt to exploit the vulnerability in the Microsoft Outlook mail client. You can use the Microsoft Outlook View Control on Web sites that are outside the Outlook mail client. You could be enticed to visit a Web page that is controlled by someone with malicious intent, where the script or Hypertext Markup Language (HTML) code on the page could invoke the control. To address this problem until the patch is released, Microsoft recommends that you disable ActiveX controls in the Internet zone. When the patch is complete, Microsoft will re-release this article and provide information about where to obtain the patch and how to use it.

Outlook E-mail Security Update

The Outlook E-mail Security Update is automatically installed as part of Outlook 2002, and causes HTML messages to open in the Restricted Sites zone, where ActiveX controls are disabled by default.

To obtain the Outlook Email Security Update for other versions of Microsoft Outlook, go to the following Microsoft Web site:

Mitigating Factors

• The previously-released Outlook E-mail Security Update prevents this security vulnerability from being exploited in Outlook 2002, Microsoft Outlook 2000, and Microsoft Outlook 98 messages.
• With the Outlook E-mail Security Update installed, you can not be forced to visit a Web page that exploits the security vulnerability.

How to Disable ActiveX Controls in the Internet Zone

Use the following steps to disable ActiveX controls:

1. In Microsoft Internet Explorer, click Internet Options on the Tools menu.
2. Under Select a Web content zone to specify its security settings on the Security tab, click the Internet icon, and then click Custom Level.
3. In the Settings box, click Disable under Run ActiveX controls and plug-ins, and then click OK twice. To disable ActiveX controls in other zones, repeat the previous steps, except that in step 2, click the appropriate security zone, such as Local Intranet, Trusted Sites, or Restricted Sites.

Microsoft Windows 2000 Networks Using Active Directory

You can use Group Policy to automatically push the settings to all users the next time that they log on. To do this:

1. Create a Group Policy object at the Site, Domain or Organizational Unit level. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
   274846  (http://support.microsoft.com/kb/274846/EN-US/ ) How to Set Advanced Settings In Internet Explorer by Using Group Policy Objects
2. In User Configuration, navigate through Windows Settings, Internet Explorer Maintenance, Security, Security Zones, and then to Content Maintenance.
3. Click Import the current security zones settings, and then click Modify Settings.
4. Click Internet, and then click Custom Level.
5. In the Settings box, click Disable under Run ActiveX controls and plug-ins, and then click OK twice to return to the Group Policy dialogue box.

All Other Microsoft Operating Systems

Use the Internet Explorer Administration Kit Profile Manager to create an update package with the security settings that you want. After you do this, you can either use a Uniform Resource Locator (URL) or an AutoConfig URL (which should have been specified during the initial Internet Explorer setup) to automatically update the settings. For more information on the Internet Explorer Administration Kit Profile Manager, please view the following Microsoft Web site: