BetaONE will rise again!
FAQ Members List Calendar Search Today's Posts Mark Forums Read
   


Reply
 
Thread Tools Display Modes
  #1  
Old 16th Oct 02, 06:49 PM
FreeUS FreeUS is offline
Senior Member
  
Join Date: Nov 2001
Posts: 634
FreeUS
Microsoft has warned Outlook Express users that a software flaw could allow an online vandal to control their computers.
A critical vulnerability in the email reader could allow an attacker to send a specially formatted message that would crash the software and potentially take control of the recipient's computer.

The flaw occurs in how the software handles messages that include components using secure MIME (multipurpose internet mail extensions), a standard that allows email messages to contain encrypted data and digital signatures.

Scott Culp, manager for Microsoft security response, said: "Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk."

Microsoft Outlook Express 5.5 and 6.0 are both affected. Earlier versions of the software giant's default email application may also carry the flaw but Microsoft hasn't tested the applications because they are no longer supported. Microsoft Outlook, the giant's full-featured email and workgroup software, is not affected, Culp said.

The advisory released last week includes links to a patch for Outlook Express 5.5 users and Outlook Express 6 Gold users. Anyone who has already downloaded and installed the Internet Explorer 6 service pack or the Windows XP service pack announced on 9 September already have the patch, Culp said.

"We moved heaven and earth to get this into service packs," he said. Microsoft has found that its software service packs are downloaded in greater numbers, so the company tries to push out all application fixes that it can into the semi-annual patches. Millions of people downloaded the two service packs in the first week, he said.

Focusing on the service pack had the consequence of delaying a patch for the smaller number of people who use Outlook Express 5.5 and Outlook Express 6.0 Gold, which is the company's internal term for the latest Outlook Express without any service packs applied. While the flaw had been found in late August and Microsoft rushed a patch out for the service packs released on 9 September, it took another 30 days for the company to release patches for other users.

"In order to meet the delivery date we had to focus fully on the service packs," Culp said. "We didn't even start on OE 5.5 until after that."

The company updated the advisory, its 58th this year, on Friday morning to explain an error message that appears on computers that have Internet Explorer 6 service pack 1 already installed if the user tries to install the new patch. Microsoft stated that the message - "this update requires Internet Explorer 6.0 to be installed" - is incorrect and should say that the patch is not needed.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 03:48 PM.
BetaONE - Archive - Top

Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.