Microsoft has released a update that eliminates a security vulnerability in Outlook and Outlook Express. This vulnerability can allow a malicious e-mail message author to send a Hypertext Markup Language (HTML) e-mail message that, when opened, can read files on your computer. The malicious message cannot, however, add, change, or delete any messages. If this is coupled with other vulnerabilities, it can potentially be used in more advanced attacks. Only files that you can open in a browser window (such as .txt, .jpg, or .htm files) can be read by using this vulnerability. To read these messages, the malicious user must know or guess the full path and file name of every file that they want to read.

Additional information about this issue is available on the following Microsoft Web site: You can find frequently asked questions about this vulnerability on the following Microsoft Web site:

Back to the top

This behavior occurs because e-mail messages in the Hypertext Markup Language (HTML) format can create files that are stored outside of cache and they can therefore run in less restricted security zones.

Back to the top

The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Q261255.exe file contains the following files:

•	Inetcomm.dll
•	Msoe.dll
•	Msoert2.dll

Back to the top

Error Message When You Try to Install the Security Update

This update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you install this update from the Microsoft Download Center: Updates are available only for Microsoft Internet Explorer 5.01. Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, and 5, are also vulnerable to this issue, but if you run the update on a version of Internet Explorer earlier than Internet Explorer 5.01, you may receive the message that says the update is already installed on your computer. This update is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.

Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this update.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:

Back to the top

Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5

This issue is also resolved in Microsoft Internet Explorer 5.01 Service Pack 1 (SP1) and Microsoft Internet Explorer 5.5. If you want to install either of these versions, use one of the following methods:

•

Install Internet Explorer 5.01 Service Pack 1 (SP1) from one of the following locations: http://www.microsoft.com/windows/ie/download/ie501sp1.htm (http://www.microsoft.com/windows/ie/download/ie501sp1.htm) -or- http://www.windowsupdate.com (http://www.windowsupdate.com)

•

Install Internet Explorer 5.5 on any computer except on a Microsoft Windows 2000-based computer from one of the following locations: http://www.microsoft.com/windows/ie (http://www.microsoft.com/windows/ie) -or- http://www.windowsupdate.com (http://www.windowsupdate.com) NOTE: When you install the update on a Windows 2000-based computer, Internet Explorer 5.5 does not install upgraded Outlook Express components, and therefore does not eliminate the vulnerability. Microsoft recommends that Windows 2000 users install Internet Explorer 5.01 SP1 from one of the links in this section. Windows 2000 users who have already installed Internet Explorer 5.5 and who are concerned about this issue can uninstall Internet Explorer 5.5 by using the Add/Remove Programs tool in Control Panel, and then installing Internet Explorer 5.01 SP1.

Back to the top

Microsoft has confirmed this to be a problem in Outlook Express 4.x and 5.0x. The problem is resolved in Outlook Express 5.5.

Back to the top