You are currently offline, waiting for your internet to reconnect

MS03-014: April, 2003, Cumulative patch for Outlook Express

This article was previously published under Q330994
This article has been archived. It is offered "as is" and will no longer be updated.
For information about the differences between Microsoft Outlook and Microsoft Outlook Express e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:
257824OL2000: Differences Between Outlook and Outlook Express
SUMMARY
Microsoft has released a cumulative patch for Microsoft Outlook Express. This cumulative patch includes updates for the issues that are described in the following Microsoft Knowledge Base article:

328676 MS02-058: OLEXP: An unchecked buffer in Outlook Express S/MIME parsing may permit system compromise
The patch that this article describes applies to the following versions of Microsoft Outlook Express:
  • Microsoft Outlook Express 6.0 Service Pack 1, when it is used with Internet Explorer 6.0 Service Pack 1 on Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, Microsoft Windows NT 4.0 Service Pack 6a, Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows XP (32-bit versions only), and Microsoft Windows XP Service Pack 1 (32-bit or 64-bit versions).
  • Microsoft Outlook Express 6.0, when it is used with Internet Explorer 6.0 on the operating system Windows XP (32-bit versions only).
  • Microsoft Outlook Express 5.5 Service Pack 2, when it is used with Internet Explorer 5.5 Service Pack 2 on Windows 98 Second Edition, Windows Millennium Edition, Windows NT 4.0 Service Pack 6a, Windows 2000 Service Pack 2 and Windows 2000 Service Pack 3, or Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3.
The patch that this article describes helps to protect against a vulnerability that exists in the MHTML URL Handler where the MHTML URL Handler allows any file that can be rendered as text to be opened and rendered as part of a page in Microsoft Internet Explorer. MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an Internet standard that defines the MIME structure that is used to send HTML content in e-mail message bodies. The MHTML URL Handler in Windows is part of Outlook Express and provides a URL type that can be used on the local computer. This URL type (MHTML://) allows MHTML documents to be opened from a command line, from Internet Explorer, from the Run dialog box on the Start menu, or by using Windows Explorer.

Because of this vulnerability in the MHTML URL Handler, it would be possible to construct a Uniform Resource Locator (URL) that referred to a text file that was stored on the local computer and have that file render as HTML. If the text file contained script, that script would run when the file was accessed. Because the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened in the Local Computer Zone are subject to fewer restrictions than files that are opened in other security zones.

By using this method, an attacker could try to construct a URL and either host it on a Web site or send it by using an e-mail message. In the Web-based scenario, where a user clicked a URL that is hosted on a Web site, an attacker could read or open files that are already present on the local computer. In an e-mail message-based attack, if the user was using Outlook Express 6.0 or Microsoft Outlook 2002 in its default configuration, or Microsoft Outlook 98 or Microsoft Outlook 2000 with the Outlook E-mail Security Update, an attack could not be automated, and the user would still have to click the URL that was sent in the e-mail message. However, if the user was not using Outlook Express 6.0 or Outlook 2002 in its default configuration, or Outlook 98 or 2000 with the Outlook E-mail Security Update, the attacker could cause an attack to trigger automatically without the user having to click the URL in the e-mail message. In both the Web-based and e-mail message-based scenarios, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.

Applying the patch that is described in the following Microsoft Knowledge Base article will help block an attacker from being able to load a file onto a user's computer and prevent the passing of parameters to an executable file.
810847 MS03-004: February, 2003, Cumulative Patch for Internet Explorer
This means that an attacker could only start a program that already existed on the computer (if the attacker was aware of the location of the program) and would not be able to pass parameters to the program for it to run.

MHTML is a standard for exchanging HTML content in e-mail, and, as a result, the MHTML URL Handler function has been implemented in Outlook Express. Internet Explorer can also render MHTML content. However, the MHTML function has not been implemented separately in Internet Explorer - it uses Outlook Express to render the MHTML content.

For more information about this patch, visit the following Microsoft Web site:
MORE INFORMATION

Download Information

The following file is available for download from the Microsoft Download Center:
DownloadDownload the 330994 package now.Release Date: April 23, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

Hotfix Information

Installation Information

You must be logged on as an administrator to install this patch. To verify that the patch is installed on your computer, check the files in the "File Information" section of this article.

Prerequisites

Outlook Express 6.0 Service Pack 1

To install the Outlook Express 6.0 Service Pack 1 version of this patch, you must be running Microsoft Outlook Express 6.0 Service Pack 1 on a computer that is running Microsoft Windows XP Service Pack 1 (32-bit or 64-bit versions).

Outlook Express 6.0

To install the Outlook Express 6.0 version of this patch, you must be running Outlook Express 6.0 on a 32-bit version of Windows XP.

Outlook Express 5.5 Service Pack 2

To install the Microsoft Outlook Express 5.5 Service Pack 2 version of this patch, you must be running Microsoft Outlook Express 5.5 Service Pack 2 on a computer that is running Microsoft Windows 2000 Service Pack 3.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
328548 How to obtain the latest service pack for Internet Explorer 6
322389 How to obtain the latest Windows XP service pack
260910 How to obtain the latest Windows 2000 service pack

Reboot Requirement

When you install the patches that are described in this article, you do not have to reboot your computer when the following conditions are true:
  • You shut down Outlook Express before you install the patch.
  • The About Internet Explorer dialog box is not open when you install the patch.

Previous Update Status

This patch supersedes the Microsoft Security Bulletin MS02-058 for Outlook Express and the Cumulative Update for Outlook Express 6.0 SP1.

Setup Switches

The update packages for this patch support the following switches:
  • /q - Specifies quiet mode (in other words, suppresses prompts) when files are extracted.
  • /q:u - Specifies user-quiet mode, which displays some dialog boxes to the user.
  • /q:a - Specifies administrator-quiet mode, which does not display any dialog boxes to the user.
  • /t: path - Specifies the target folder for extracting files.
  • /c - Extracts the files without installing them.
  • /c: path - Specifies the path and the name of the Setup .inf or .exe file.
  • /r:n - Never restarts the computer after an installation.
  • /r:i - Restarts the computer if a restart is required. Automatically restarts the computer if a restart is required to complete installation.
  • /r:a - Always restarts the computer after an installation.
  • /r:s - Restarts the computer after an installation without prompting the user.
  • /n:v - No version checking. Installs the program over any previous version.
For example, use the following command line to install the patch without any user intervention and without forcing the computer to restart:
q330994 /q:a /r:n

File Information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Internet Explorer 6 SP1 (32-bit)

   Date         Time   Version            Size    File name   --------------------------------------------------------------   03-Mar-2003  04:24  6.0.2800.1123    75,776    Directdb.dll   03-Mar-2003  04:41  6.0.2800.1165   592,384    Inetcomm.dll   09-Mar-2003  12:42  6.0.2800.1123    47,616    Inetres.dll   03-Mar-2003  09:24  6.0.2800.1123    44,032    Msident.dll   03-Mar-2003  03:57  6.0.2800.1123    56,832    Msimn.exe   11-Oct-2002  02:08  6.0.2800.1158 1,174,528    Msoe.dll   03-Mar-2003  03:57  6.0.2800.1123   228,864    Msoeacct.dll   03-Mar-2003  03:57  6.0.2800.1123 2,479,616    Msoeres.dll   03-Mar-2003  03:57  6.0.2800.1123    91,136    Msoert2.dll   03-Mar-2003  03:57  6.0.2800.1123    93,184    Oeimport.dll   03-Mar-2003  03:57  6.0.2800.1123    55,808    Oemig50.exe   03-Mar-2003  03:57  6.0.2800.1123    31,744    Oemiglib.dll   03-Mar-2003  03:57  6.0.2800.1123    42,496    Wab.exe   03-Mar-2003  03:57  6.0.2800.1123   462,848    Wab32.dll   03-Mar-2003  03:57  6.0.2800.1123    30,208    Wabfind.dll   03-Mar-2003  03:57  6.0.2800.1123    77,824    Wabimp.dll   03-Mar-2003  03:57  6.0.2800.1123    27,648    Wabmig.exe

Internet Explorer 6 SP1 (64-bit)

   Date         Time   Version             Size    File name   --------------------------------------------------------------   05-Nov-2002	 09:53  6.0.2800.1123    251,904   Directdb.dll   19-Feb-2003   03:19  6.0.2800.1165  2,197,504   Inetcomm.dll   05-Nov-2002	 09:53  6.0.2800.1123     47,104   Inetres.dll   05-Nov-2002	 09:53  6.0.2800.1123     63,488   Msimn.exe   19-Feb-2003   03:37  6.0.2800.1158  4,482,560   Msoe.dll   05-Nov-2002	 09:53  6.0.2800.1123    729,088   Msoeacct.dll   05-Nov-2002	 09:54  6.0.2800.1123  2,479,104   Msoeres.dll   05-Nov-2002	 09:53  6.0.2800.1123    300,032   Msoert2.dll   05-Nov-2002	 09:53  6.0.2800.1123    302,080   Oeimport.dll   05-Nov-2002	 09:54  6.0.2800.1123    142,336   Oemig50.exe   05-Nov-2002	 09:54  6.0.2800.1123     73,728   Oemiglib.dll   05-Nov-2002	 09:53  6.0.2800.1123     87,040   Wab.exe   05-Nov-2002	 09:53  6.0.2800.1123  1,773,568   Wab32.dll   05-Nov-2002	 09:53  6.0.2800.1123     38,912   Wabfind.dll   05-Nov-2002	 09:53  6.0.2800.1123    240,640   Wabimp.dll   05-Nov-2002	 09:53  6.0.2800.1123     71,680   Wabmig.exe

Internet Explorer 6

   Date         Time   Version             Size   File name   --------------------------------------------------------------   17-Mar-2003  11:44  6.0.2727.1300    594,944   Inetcomm.dll   17-Mar-2003  11:44  6.0.2720.3000  1,175,040   Msoe.dll

Internet Explorer 5.5 SP2

   Date         Time   Version             Size   File name   --------------------------------------------------------------   30-Jan-2003  04:26  5.50.4925.2800   572,176   Inetcomm.dll   15-Oct-2002  07:15  5.50.4922.1500 1,146,640   Msoe.dll
Note This patch does not contain file dependencies.

Removal Information

To remove this patch, use the Add or Remove Programs (Add/Remove Programs) tool in Control Panel. Click Outlook Express Update Q330994, and then click Change/Remove (or Add/Remove).
patch31 security_patch
Properties

Article ID: 330994 - Last Review: 12/07/2015 13:02:24 - Revision: 4.9

Microsoft Outlook Express 6.0, Microsoft Outlook Express 5.5, Microsoft Outlook Express 5.5, Microsoft Outlook Express 5.5, Microsoft Outlook Express 5.5

  • kbnosurvey kbarchive kbwin2ksp4fix kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability KB330994
Feedback