Microsoft KB Archive/267580

= OLEXP: Information About the Outlook Express Security Patch =

Article ID: 267580

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.01 Service Pack 2

-



This article was previously published under Q267580



For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:

257824 OL2000: Differences Between Outlook and Outlook Express



SUMMARY
This article provides general information about the Microsoft Outlook Express Security Patch that was released on July 20, 2000.



MORE INFORMATION
The Outlook Express Security Patch provides additional levels of protection against malicious e-mail messages. For general information about this patch, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-043.mspx

To download the patch, please see the following Microsoft Web site:

http://www.microsoft.com/windows/ie/download/critical/patch9.htm

If you have installed Microsoft Internet Explorer 5.01 Service Pack 1 (SP1) or Microsoft Internet Explorer 5.5 on a computer that is running any operating system other than Microsoft Windows 2000, you are not affected by these vulnerabilities and do not need to apply the patch.

Fixes
The following potential vulnerabilities are fixed when you apply this patch:

Buffer Overflow in Outlook Express Mail Header
 When the date and time fields in a message header are improperly formatted, the result is a buffer overflow. This potentially allows someone to run malicious code on your computer.For additional information about the buffer overflow issue, click the article number below to view the article in the Microsoft Knowledge Base:

267884 E-mail Security Vulnerability Fixed in Internet Explorer 5.01 SP1

 If you use Outlook Express to open an e-mail message from an Internet Message Access Protocol (IMAP) server and the message contains a long subject (larger than approximately 192 characters), a buffer overflow is the result that can potentially allow someone to run malicious code on your computer.

File Attachments
 When you open a multimedia e-mail attachment (such as file types ending in .mid, .wav, .gif, or .mov), code that is contained in the attachment can automatically run.

For additional information about issues with multimedia e-mail attachments, click the article number below to view the article in the Microsoft Knowledge Base:

247638 Cache Bypass Vulnerability Fix Available

 If you open an e-mail message and see the File Download attachment warning dialog box instead of the Open Attachment Warning dialog box, and then click Cancel, the attachment is not deleted from your hard disk. This temporary file may be a compiled Hypertext Markup Language (HTML) file with a .chm file name extension. You can open the attachment with the window.showHelp method, which may run malicious code. Outlook Express may place extracted .mht files on a local hard disk in predictable locations. This allows a cross-domain violation. Code on a remote Web page can then open files on the local computer. When these files are opened, they run in the context of the My Computer security zone.</li></ul>

Java Script in the Preview Pane
If you use the preview pane to view a message that contains Java Script, the script can read subsequent e-mail messages that have been opened.

Keywords: kbinfo KB267580

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.