Microsoft KB Archive/283908

= OLEXP: Patch Available for Malformed vCard Vulnerability =

Article ID: 283908

Article Last Modified on 8/30/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.5
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook 2000 Standard Edition
 * Microsoft Outlook 2000 Service Pack 1
 * Microsoft Outlook 98 Standard Edition

-



This article was previously published under Q283908



SYMPTOMS
Microsoft has released a patch that eliminates a security vulnerability that affects Outlook and Outlook Express. A malicious user can use the vulnerability to create a virtual business card (vCard); if the vCard is opened, the malicious user can use the vCard to take any action on the recipient's computer.

Outlook Express provides several components that Outlook uses if it is installed on a computer. One such component, which is used to process vCards, has an unchecked buffer. If a malicious user creates a vCard, edits the vCard to contain specially chosen data, and then sends the vCard to another user, either of following symptoms might occur if the recipient opens the vCard:
 * In less serious cases, the mail client stops responding when the recipient opens the vCard. If this occurs, the recipient can resume normal operation by restarting the mail client, and then deleting the mail that contains the vCard.
 * In more serious cases, the malicious user can cause the mail client to run code on the user's computer. This code can take any action that the malicious user wants; the actions that the code can take are limited only by the recipient's permissions on the computer.

This security vulnerability is mitigated by the need for the recipient to open the vCard. A vCard cannot be made to open automatically; therefore, the malicious user needs to entice the recipient to open the mail, and then open the vCard. As always, the best practice is to never open untrusted e-mail attachments. Because the component that contains the security vulnerability is included as part of Outlook Express, which is included as part of Microsoft Internet Explorer, the patch is specific to the version of Internet Explorer, rather than the version of Outlook Express or Outlook.



RESOLUTION
To resolve this issue, apply the patch that is described in this &quot;Resolution&quot; section. Although this vulnerability affects Outlook Express 5.01 and Outlook Express 5.5, this patch can only be applied to Outlook Express 5.5.

To successfully apply this patch, perform one the following steps (as applicable) before you apply the patch:  To successfully apply this patch on a computer that is running Microsoft Windows 2000, apply Internet Explorer 5.01 Service Pack 1 or Windows 2000 Service Pack 1.

For additional information about Service Pack 1, click the article numbers below to view the articles in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

260910 How to Obtain the Latest Windows 2000 Service Pack

NOTE: If you installed Internet Explorer 5.5 Service Pack 1 after you installed Internet Explorer 5.01 Service Pack 1 or Windows 2000 Service Pack 1, you can also successfully apply this patch on a computer that is running Windows 2000. For additional information about Internet Explorer 5.5 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack

 To successfully apply this patch on a computer that is running Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows NT 4.0, apply Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 Service Pack 1. For additional information about Service Pack 1, click the article numbers below to view the articles in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack

 To successfully apply this patch on a computer that is running Microsoft Windows Millennium Edition (Me), apply Internet Explorer 5.5 Service Pack 1.For additional information about Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack



Internet Explorer 5.5 with Service Pack 1
To resolve this problem, obtain the latest service pack for Internet Explorer version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack

For your convenience, the individual patch is also available from the Microsoft Download Center:

Download Q283908.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:   Date        Time    Version         Size     File name -  01/15/2001  03:08p  5.50.4701.1500  454,928  Wab32.dll NOTE: Due to file dependencies, this fix requires Microsoft Internet Explorer 5.5 Service Pack 1.

Internet Explorer 5.01 with Service Pack 1
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:

Download Q283908.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:   Date        Time    Version         Size     File name -  01/15/2001  03:08p  5.50.4701.1500  454,928  Wab32.dll NOTE: Due to file dependencies, this fix requires Microsoft Internet Explorer 5.01 Service Pack 1.

International versions of this hotfix are now available for:

FR = French

ES = Spanish

DE = German

KO = Korean

JA = Japanese

CN = Chinese (PRC)

TW = Chinese (Taiwan)

These security fixes for wab32.dll apply to IE 5.5/SP1, IE 5.01, IE 5.01/SP1, IE 5.01/SP2. Wab32.dll from IE 5.5/SP1 and IE 5.01/SP2 are identical. In IE 5.5sp2, this fix is already included.

See below hotfix details and download information:

The hotfix installer for name for all International versions of this hotfix will be called Q283908.exe you can obtain it individually for each language above, but you may need to contact Microsoft directly to obtain these International versions of the hotfix.

The French version of this fix should have the following file attributes: Date       Time    Version         Size     File name -- 01/26/2001 06:17   5.50.4701.1500  454,928  Wab32.dll The Spanish version of this fix should have the following file attributes: Date       Time    Version         Size     File name -- 01/26/2001 06:17   5.50.4701.1500  454,928  Wab32.dll The German version of this fix should have the following file attributes: Date       Time    Version         Size     File name -- 01/26/2001 06:15   5.50.4701.1500  454,928  Wab32.dll The Korean version of this fix should have the following file attributes: <pre class="fixed_text">Date       Time    Version         Size     File name -- 01/26/2001 06:16   5.50.4701.1500  454,928  Wab32.dll The Japanese version of this fix should have the following file attributes: <pre class="fixed_text">Date       Time    Version         Size     File name -- 01/26/2001 06:16   5.50.4701.1500  454,928  Wab32.dll The Chinese (PRC) version of this fix should have the following file attributes: <pre class="fixed_text">Date       Time    Version         Size     File name -- 01/26/2001 06:15   5.50.4701.1500  454,928  Wab32.dll The Chinese (Taiwan) version of this fix should have the following file attributes: <pre class="fixed_text">Date       Time    Version         Size     File name -- 01/26/2001 06:16   5.50.4701.1500  454,928  Wab32.dll

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.5 Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-012.asp

Additional query words: security_patch OE fail IE

Keywords: kbbug kbfix kbgraphxlinkcritical kbie501presp2fix kbie550presp2fix KB283908

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.