Microsoft has fixed a bug in its Outlook and Outlook Express email programs that could let malicious hackers gain control of users' PCs simply by sending them an email message. Until now, many have assumed that all email-based vulnerabilities depend upon users actually opening an infected email message. However, the new bug opens up the possibility of mass emailings that give the sender control over numerous victims simultaneously. Uncovered by a South American security research team, the bug affects all Outlook and Outlook Express users, estimated at more than 100 million people.

Ironically, the bug is contained in an Internet Explorer (IE) component that Outlook and Outlook Express share. Microsoft addressed the bug in IE 5.5 and urged users to upgrade to the latest browser to get the fix. But in the face of criticism, the company issued a patch for IE 5.01 on July 19. To get the patch, visit the Microsoft Web site. Those who use previous versions of IE are still out of luck, however, because Microsoft has yet to issue a patch for those versions. Also out of luck are Windows 2000 users who didn't upgrade to IE 5.01 Service Pack 1 (SP1) first, because the IE 5.5 installer won't install the updated Outlook Express components required to address this bug. Win2K users are advised to install IE 5.01 SP1 or Win2K SP1 (which is supposedly due this week) before installing IE 5.5.

Microsoft describes the bug as "a buffer overrun vulnerability. A malicious user could exploit the vulnerability to send an email that, when downloaded from the mail server, could have either of two effects. In the less serious case, Outlook or Outlook Express could fail. In the more serious case, code of the malicious user's choice could execute on the recipient's computer. Such code could take any action that the user is authorized to take on the machine, including reformatting the hard drive, communicating with an external Web site, or changing data on the computer." The company recommends that all users of Outlook and Outlook Express install the patch or upgrade to IE 5.5. For more information about this bug, refer to Microsoft Security Bulletin MS00-043