COMMAND

   Outlook (all)

SYSTEMS AFFECTED

    Outlook Express 4.0, 4.01, 5.0, 5.01, Outlook 97, 98 and 2000

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-046).
    By design,  an HTML  mail that  creates a  file on the recipient's
    computer should only be able to create it in the so-called  cache.
    Files  in  the  cache,  when  opened,  do so in the Internet Zone.
    However, this  vulnerability would  allow an  HTML mail  to bypass
    the cache mechanism and create a  file in a known location on  the
    recipient's disk.   If an HTML  mail created an  HTML file outside
    the cache, it  would run in  the Local Computer  Zone when opened.
    This could  allow it  to open  a file  on the  user's computer and
    send  it  a  malicious  user's  web  site.  The vulnerability also
    could be used as a way of placing an executable file on the user's
    machine, which the  malicious user would  then seek to  launch via
    some other means.

    The  vulnerability  would  not  enable  the malicious user to add,
    change or delete  files on the  user's computer.   Only files that
    can be  opened in  a browser  window, such  as .txt,  .jpg or .htm
    files, could  be read  via this  vulnerability, and  the malicious
    user would need to  know or guess the  full path and file  name of
    every file he wished to read.

    The vulnerability resides in a component that is shared by Outlook
    and Outlook  Express, and  as a  result the  vulnerability affects
    both products.  A version of the component that is not affected by
    the  vulnerability  ships  as  part  of  Outlook  Express 5.5, and
    customers who have installed it do not need to take any additional
    action.   Outlook Express  5.5 is  available as  part of  Internet
    Explorer  5.01  Service  Pack  1,  and,  except  when installed on
    Windows 2000, Internet Explorer 5.5.

SOLUTION

    This  vulnerability  can  be  eliminated  by  taking  any  of  the
    following actions:

      - Installing the patch available at
        http://www.microsoft.com/windows/ie/download/critical/patch9.htm
      - Performing a default installation of Internet Explorer 5.01 Service Pack 1,
        http://www.microsoft.com/Windows/ie/download/ie501sp1.htm
      - Performing a default installation of Internet Explorer 5.5  on
        any system except Windows 2000.

    Note:  The  patch  requires  IE  4.01  SP2  or IE 5.01 to install.
    Customers who install this patch on versions other than these  may
    receive  a  message  reading  "This  update  does  not  need to be
    installed  on  this  system".  This  message  is  incorrect.  More
    information is available in KB article Q247638.