COMMAND

    Outlook Express

SYSTEMS AFFECTED

    Microsoft Outlook Express 4.0, 4.01, 5.0 and 5.01

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-045).
    By design,  HTML mail  can contain  script, and  among the actions
    such a  script can  take is  to open  a browser  window that links
    back to the  Outlook Express windows.   Also by design,  script in
    the browser window could read  the HTML mail that is  displayed in
    Outlook Express.   However, a  vulnerability results  because  the
    link  could  be  made  persistent.   This  could allow the browser
    window to retrieve the text of mails subsequently displayed in the
    preview  pane,  and  relay  it  to  the malicious user.  There are
    several significant restrictions on this vulnerability:

        - Only the recipient could open the HTML mail that established
          the link.
        - The attack would only  persist until the user either  closed
          the  browser  window  that  the  HTML mail opened, or closed
          Outlook Express.
        - The malicious user could only read mails that were displayed
          in  the  preview  pane.  If  the  preview  pane feature were
          disabled, he could not read mails under any conditions.

    The  vulnerability  is  eliminated  in  Outlook  Express  5.5, and
    customers  who  have  installed  it  do  not  need  to  take   any
    additional action.   Outlook Express 5.5  is available as  part of
    Internet Explorer 5.01 Service Pack 1, and, except when  installed
    on Windows 2000, Internet Explorer  5.5. A patch is available  for
    customers who prefer not to upgrade to Outlook Express 5.5.

SOLUTION

    This  vulnerability  can  be  eliminated  by  taking  any  of  the
    following actions:

    - Installing the patch available at
      http://www.microsoft.com/windows/ie/download/critical/patch9.htm
    - Performing a default installation of Internet Explorer 5.01 Service Pack 1,
      http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
    - Performing a  default installation of  Internet Explorer 5.5  on
      any system except Windows 2000.

    Note:  The  patch  requires  IE  4.01  SP2  or IE 5.01 to install.
    Customers who install this patch on versions other than these  may
    receive  a  message  reading  "This  update  does  not  need to be
    installed  on  this  system".  This  message  is  incorrect.  More
    information is available in KB article Q261255.