If you search Microsoft's security bulletin Web site for Outlook-related bulletins, you'll find very few. What the search overlooks is that beyond a user's inclination to open unsolicited .exe files, Outlook's vulnerability to viruses lies elsewhere—namely, with the application's dependence on Internet Explorer (IE) components, which Outlook uses to handle HTML formatting in messages. Because Outlook and Outlook Express share this dependence on IE, you can use one set of IE patches to fix both email programs.
But which patches do you need to install? Since 1999, I've maintained a list of IE patches that pertain to HTML messages. After last week's Nimda virus outbreak, I reviewed the list to see whether I could boil it down to some simple version-specific recommendations. The task was easier than I had imagined.
To determine which version of IE you're using, click Help, About Internet Explorer and note the version number. If the number begins with 5.0, consult Microsoft article Q164539 to determine whether you're running IE 5.0 or IE 5.01. (Unfortunately, the version number on the About dialog box doesn't simply say 5.01. Why does Microsoft have to make this so hard?) The Microsoft article can also help you match up the version number with the various IE service packs.
Office 2000 requires IE 4.0 and ships with IE 5.0 included, but IE 5.0 isn't a mandatory part of the Office 2000 installation. However, both IE 4.0 and IE 5.0 have HTML vulnerabilities for which no patches are available. Therefore, anyone using a version of IE that's older than version 5.01 should upgrade immediately to the recently released IE 6.0, which Microsoft plans to ship with Windows XP.
If you have IE 5.01, you can either upgrade to IE 6.0 or install IE 5.01 Service Pack 2 (SP2) \[\] and the patch that Microsoft Security Bulletin MS01-027 documents. This critical patch protects against the IFRAME vulnerability, which the Nimda virus exploits to infect machines when users open messages or view them in preview panes. One reason Nimda spread so widely is that it exploits this hole to run its readme.exe file whether or not users click the file.
If you have IE 5.5, you should upgrade to IE 6.0 or to IE 5.5 SP2.
Does IE 6.0 offer any advantages over the service packs for IE 5.01 and 5.5? From an end-user perspective, one of IE 6.0's greatest new features is its ability to tell you when Web sites are trying to collect information about you. IE 6.0 adds an icon to the IE status bar that alerts you when a site sends a cookie that might seek to collect data. You can then decide whether to accept the cookie. If you're an administrator, you can use the Internet Explorer Administration Kit (IEAK) 6 to customize and lock down such privacy settings. The IEAK also includes a new feature that lets you customize the IE toolbar and, for Windows XP and Windows 2000, a Microsoft Management Console (MMC) snap-in that lets you plan browser policies. Finally, the version of Outlook Express that accompanies IE 6.0 includes an option that lets you block potentially harmful attachments.