Outlook Express Exposes User Mail

Reported July 20 by Microsoft

VERSIONS AFFECTED
Microsoft Outlook Express 4.0 through 5.01

DESCRIPTION

By sending an unsuspecting user a specifically craft HTML message, a remote user could extract information from an Outlook Express mail preview pane and send that content to an offsite location for review.

VENDOR RESPONSE

Microsoft issued FAQ# FQ00-045 regarding this problem along with a patch and Support Online article Q267884, which also pertain to security issues MS00-043 and MS00-046.

Microsoft"s bulletin states that "this vulnerability can be eliminated by taking any of the following actions:

  • Installing the patch available at
    http://www.microsoft.com/windows/ie/download/critical/patch9.htm
  • Performing a default installation of Internet Explorer 5.01 Service Pack 1,
    http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
  • Performing a default installation of Internet Explorer 5.5
    (http://www.microsoft.com/windows/ie/download/ie55.htm)
    on any system except Windows 2000.

Note: The patch requires IE 4.01 SP2 (http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm) to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q267884"

CREDIT
Discovered by Microsoft