Microsoft KB Archive/267884

= OLEXP: E-mail Security Vulnerability Fixed in Internet Explorer 5.01 SP1 =

Article ID: 267884

Article Last Modified on 8/30/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook 98 Standard Edition
 * Microsoft Outlook 2000 Standard Edition

-



This article was previously published under Q267884



For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:

257824 OL2000: Differences Between Outlook and Outlook Express



SYMPTOMS
Microsoft has discovered a vulnerability that affects Microsoft Outlook and Microsoft Outlook Express versions that you installed before the release of Microsoft Internet Explorer 5.01 Service Pack 1 (SP1). This vulnerability enables a user to run malicious code on a computer through the buffer overflow of the e-mail header. The buffer overflow can cause Outlook or Outlook Express to stop responding, or enable arbitrary code to run on your computer. This code can take any action that an authorized user of the computer may want.

Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-043.mspx

You can find frequently asked questions about this vulnerability on the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/fq00-043.mspx



CAUSE
This behavior occurs because a component, used by both Outlook and Outlook Express, contains an unchecked buffer in the module that interprets e-mail header fields when certain e-mail protocols are used to download mail from a mail server.



RESOLUTION
To resolve this issue, use one of the following methods:  Install Internet Explorer 5.01 SP1 from one of the following locations:

http://www.microsoft.com/windows/ie/download/ie501sp1.htm

http://www.windowsupdate.com

 Install Microsoft Internet Explorer 5.5 on any computer except Microsoft Windows 2000, from one of the following locations:

http://www.microsoft.com/windows/ie

http://www.windowsupdate.com

NOTE: When you install Internet Explorer 5.5 on a Windows 2000-based computer, Internet Explorer does not install upgraded Outlook Express components, and therefore does not eliminate the vulnerability. Microsoft recommends that Windows 2000 users install Internet Explorer 5.01 SP1 from one of the links that are provided in this step.

Windows 2000 users who have already installed Internet Explorer 5.5 and are concerned about this issue can uninstall Internet Explorer 5.5 by using the Add/Remove Programs tool in Control Panel, and then install Internet Explorer 5.01 SP1. Install the security update from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/download/critical/patch9.htm



Error Message When You Try to Install the Security Update
This update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you try to install this update from the Microsoft Download Center Web site:

This update does not need to be installed on this system.

Updates are available only for Internet Explorer 5.01. Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, and 5, are also vulnerable to this issue, but when you run the update on a version of Internet Explorer earlier than Internet Explorer 5.01, you receive the message that is noted in this section. This update is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.

Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this update.

For information about how to determine the version of Internet Explorer that you are using, please see the following article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer is Installed

E-mail Client Does Not Work
If your e-mail client does not work as a result of this vulnerability, contact the administrator of the e-mail server and request that the e-mail message be deleted. Although you can restart Outlook or Outlook Express if the offending e-mail message is still on the server, the next time that you retrieve e-mail from the server, it causes your e-mail client to not work again.

NOTE: The vulnerability does not cause any damage to the e-mail server because it is an e-mail client-side issue.



STATUS
This problem was corrected in Internet Explorer 5.01 SP1.



MORE INFORMATION
For additional information about Internet Explorer 5.01 SP1, click the following article numbers to view the articles in the Microsoft Knowledge Base:

261268 Description of Internet Explorer 5.01 Service Pack 1

For additional information about Internet Explorer on Microsoft Windows 2000 and Microsoft Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

257249 Download-Only Setup of Internet Explorer on Windows 2000 and Windows XP

Keywords: kbfix kbprb KB267884

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.