Microsoft KB Archive/247638

= OLEXP: Cache Bypass Vulnerability Fix Available =

Article ID: 247638

Article Last Modified on 1/25/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 5.01
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook 98 Standard Edition
 * Microsoft Outlook 2000 Standard Edition

-



This article was previously published under Q247638



For information about the differences between Microsoft Outlook Express and Microsoft Outlook e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:

257824 OL2000: Differences Between Outlook and Outlook Express



SYMPTOMS
Microsoft has released a update that eliminates a security vulnerability in Outlook and Outlook Express. This vulnerability can allow a malicious e-mail message author to send a Hypertext Markup Language (HTML) e-mail message that, when opened, can read files on your computer. The malicious message cannot, however, add, change, or delete any messages. If this is coupled with other vulnerabilities, it can potentially be used in more advanced attacks. Only files that you can open in a browser window (such as .txt, .jpg, or .htm files) can be read by using this vulnerability. To read these messages, the malicious user must know or guess the full path and file name of every file that they want to read.

Additional information about this issue is available on the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-046.asp

You can find frequently asked questions about this vulnerability on the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/fq00-046.mspx



CAUSE
This behavior occurs because e-mail messages in the Hypertext Markup Language (HTML) format can create files that are stored outside of cache and they can therefore run in less restricted security zones.



RESOLUTION
The following file is available for download from the Microsoft Download Center:

Download Q261255.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Q261255.exe file contains the following files:
 * Inetcomm.dll
 * Msoe.dll
 * Msoert2.dll

Error Message When You Try to Install the Security Update
This update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you install this update from the Microsoft Download Center:

This update does not need to be installed on this system.

Updates are available only for Microsoft Internet Explorer 5.01. Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, and 5, are also vulnerable to this issue, but if you run the update on a version of Internet Explorer earlier than Internet Explorer 5.01, you may receive the message that says the update is already installed on your computer. This update is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 5.01.

Microsoft recommends that you upgrade to Internet Explorer 5.01 and then install this update.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer is Installed

Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5
This issue is also resolved in Microsoft Internet Explorer 5.01 Service Pack 1 (SP1) and Microsoft Internet Explorer 5.5. If you want to install either of these versions, use one of the following methods:  Install Internet Explorer 5.01 Service Pack 1 (SP1) from one of the following locations:

http://www.microsoft.com/windows/ie/download/ie501sp1.htm

-or-

http://www.windowsupdate.com

 Install Internet Explorer 5.5 on any computer except on a Microsoft Windows 2000-based computer from one of the following locations:

http://www.microsoft.com/windows/ie

-or-

http://www.windowsupdate.com

NOTE: When you install the update on a Windows 2000-based computer, Internet Explorer 5.5 does not install upgraded Outlook Express components, and therefore does not eliminate the vulnerability. Microsoft recommends that Windows 2000 users install Internet Explorer 5.01 SP1 from one of the links in this section.

Windows 2000 users who have already installed Internet Explorer 5.5 and who are concerned about this issue can uninstall Internet Explorer 5.5 by using the Add/Remove Programs tool in Control Panel, and then installing Internet Explorer 5.01 SP1.



STATUS
Microsoft has confirmed this to be a problem in Outlook Express 4.x and 5.0x. The problem is resolved in Outlook Express 5.5.

Keywords: kbgraphxlinkcritical kbenv kbprb KB247638

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.