This article provides general information about the
Microsoft Outlook Express Security Patch that was released on July 20, 2000.
Back to the top
The Outlook Express Security Patch provides additional
levels of protection against malicious e-mail messages. For general information
about this patch, please see the following Microsoft Web site:
To download the patch, please see the following Microsoft Web
site:
If you have installed Microsoft Internet Explorer 5.01 Service
Pack 1 (SP1) or Microsoft Internet Explorer 5.5 on a computer that is running
any operating system other than Microsoft Windows 2000, you are not affected by
these vulnerabilities and do not need to apply the patch.
Back to the top
Fixes
The following potential vulnerabilities are fixed when you apply
this patch:
Buffer Overflow in Outlook Express Mail Header
| • | When the date and time fields in a message header are
improperly formatted, the result is a buffer overflow. This potentially allows
someone to run malicious code on your computer.For additional information about the buffer overflow issue,
click the article number below to view the article in the Microsoft Knowledge
Base: 267884 (http://support.microsoft.com/kb/267884/EN-US/) E-mail Security Vulnerability Fixed in Internet Explorer 5.01 SP1
|
| • | If you use Outlook Express to open an e-mail message from
an Internet Message Access Protocol (IMAP) server and the message contains a
long subject (larger than approximately 192 characters), a buffer overflow is
the result that can potentially allow someone to run malicious code on your
computer. |
File Attachments
| • | When you open a multimedia e-mail attachment (such as file
types ending in .mid, .wav, .gif, or .mov), code that is contained in the
attachment can automatically run.For additional information about issues with multimedia e-mail attachments, click the article number below
to view the article in the Microsoft Knowledge Base:
247638 (http://support.microsoft.com/kb/247638/EN-US/) Cache Bypass Vulnerability Fix Available
|
| • | If you open an e-mail message and see the File Download attachment warning dialog box instead of the Open Attachment Warning dialog box, and then click Cancel, the attachment is not deleted from your hard disk. This
temporary file may be a compiled Hypertext Markup Language (HTML) file with a
.chm file name extension. You can open the attachment with the window.showHelp() method, which may run malicious code. |
| • | Outlook Express may place extracted .mht files on a local
hard disk in predictable locations. This allows a cross-domain violation. Code
on a remote Web page can then open files on the local computer. When these
files are opened, they run in the context of the My Computer security
zone. |
Java Script in the Preview Pane
If you use the preview pane to view a message that contains Java
Script, the script can read subsequent e-mail messages that have been opened.
Back to the top
