 |
 Outlook Express hole patched
October 15, 2002
Microsoft has released a patch for what it calls a 'critical security hole' in Outlook Express.
Earlier a Redmond-based company warned Outlook Express users that a software flaw could allow an online attacker to control their computers.
"Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk," said Scott Culp, manager for Microsoft security response.
Microsoft does not provide details on the cause of the vulnerability but said an attacker could introduce specific data via the secure Multipurpose Internet Mail Extensions (S/MIME) encryption method, then sending it to another user.
The flaw occurs in how the software handles messages that include components using S/MIME, a standard that allows emails to contain encrypted data and digital signatures.
An advisory released on Thursday includes links to a patch for Outlook Express 5.5 users and Outlook Express 6 Gold users. Anyone who has already downloaded and installed the Internet Explorer 6 service pack or the Windows XP service pack announced on Sept. 9 already have the patch, according to the advisory.
The company updated the advisory, its 58th this year, on Friday morning to explain an error message that appears on computers that have Internet Explorer 6 service pack 1 already installed if the user tries to install the new patch. Microsoft stated that the message--"This update requires Internet Explorer 6.0 to be installed"--is incorrect and should say that the patch is not needed.
|
|
