Microsoft KB Archive/261252

= Update Available for Security Related Issues with HTML File Attachments =

Article ID: 261252

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook 97 Standard Edition
 * Microsoft Outlook 98 Standard Edition
 * Microsoft Outlook 2000 Standard Edition

-



This article was previously published under Q261252



For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:

257824 OL2000: Differences Between Outlook and Outlook Express



SYMPTOMS
When you open an e-mail message, the File Download dialog box may be displayed instead of the Open Attachment Warning dialog box. If you click Cancel, the attachment may not be removed from your hard disk. This temporary file may be a compiled Hypertext Markup Language (HTML) file with a .chm file name extension. This file can be used by a malicious e-mail author to run arbitrary commands on your computer.

Microsoft has released an update that eliminates this security vulnerability in Outlook and Outlook Express.



CAUSE
This behavior occurs because a .chm file is an HTML file type that can be stored outside of cache and can therefore run in less restricted security zones.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Internet Explorer 5.01 service pack that contains this fix.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The Q261255.exe file is available for download from the following Microsoft Download Center Web site:

http://download.microsoft.com/download/ie501/secpach9/5.01/WIN98/EN-US/Q261255.exe

The Q261255.exe file contains the following files:
 * Inetcomm.dll
 * Msoe.dll
 * Msoert2.dll

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Error Message when You Try to Install the Security Update
This update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you install this update from the Microsoft Download Center Web site:

This update does not need to be installed on this system.

Updates are available only for Internet Explorer 5.01. Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, and 5, are also vulnerable to this problem, but if you run the update on a version of Internet Explorer 5 earlier than Internet Explorer 5.01, you receive the message that is noted earlier in this section. This update is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.

Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this update.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer is Installed

Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5
This issue is also resolved in Internet Explorer 5.01 Service Pack 1 (SP1) and Internet Explorer 5.5. If you want to install either of these versions, use one of the following methods:  Install Internet Explorer 5.01 SP1 from one of the following locations:

http://www.microsoft.com/windows/ie/download/ie501sp1.htm

-or-

http://www.windowsupdate.com

 Install Internet Explorer 5.5 on any computer, except a Windows 2000-based computer, from one of the following locations:

http://www.microsoft.com/windows/ie

-or-

http://www.windowsupdate.com

NOTE: When you install the update on a Windows 2000-based computer, Internet Explorer 5.5 does not install the upgraded Outlook Express components and therefore does not eliminate this vulnerability. Microsoft recommends that Windows 2000 users install Internet Explorer 5.01 SP1 from one of the Web sites in this section.

Windows 2000 users who have already installed Internet Explorer 5.5 and are concerned about this issue can uninstall Internet Explorer 5.5 by using the Add/Remove Programs tool in Control Panel, and then install Internet Explorer 5.01 SP1.



STATUS
Microsoft has confirmed that this is a problem in Internet Explorer 5.01.

Additional query words: chm inetcomm dll Msoe Msoert2

Keywords: kbdownload kbenv kbprb KB261252

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.