Microsoft warned Outlook Express users late Thursday that a software flaw could allow an online vandal to control their computers.
A critical vulnerability in the e-mail reader could allow an attacker to send a specially formatted message that would crash the software and potentially take control of the recipient's computer.
The flaw occurs in how the software handles messages that include components using secure MIME (multipurpose Internet mail extensions), a standard that allows e-mail messages to contain encrypted data and digital signatures.
"Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk," said Scott Culp, manager for Microsoft security response.
Microsoft Outlook Express 5.5 and 6.0 are both affected. Earlier versions of the software giant's default e-mail application may also carry the flaw, but Microsoft hasn't tested the applications because they are no longer supported. Microsoft Outlook, the giant's full-featured e-mail and workgroup software, is not affected, Culp said.
The advisory released on Thursday includes links to a patch for Outlook Express 5.5 users and Outlook Express 6 Gold users. Anyone who has already downloaded and installed the Internet Explorer 6 service pack or the Windows XP service pack announced on Sept. 9 already have the patch, Culp said.
The company updated the advisory, its 58th this year, on Friday morning to explain an error message that appears on computers that have Internet Explorer 6 service pack 1 already installed if the user tries to install the new patch. Microsoft stated that the message--"This update requires Internet Explorer 6.0 to be installed"--is incorrect and should say that the patch is not needed.
A critical vulnerability in the e-mail reader could allow an attacker to send a specially formatted message that would crash the software and potentially take control of the recipient's computer.
The flaw occurs in how the software handles messages that include components using secure MIME (multipurpose Internet mail extensions), a standard that allows e-mail messages to contain encrypted data and digital signatures.
"Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk," said Scott Culp, manager for Microsoft security response.
Microsoft Outlook Express 5.5 and 6.0 are both affected. Earlier versions of the software giant's default e-mail application may also carry the flaw, but Microsoft hasn't tested the applications because they are no longer supported. Microsoft Outlook, the giant's full-featured e-mail and workgroup software, is not affected, Culp said.
The advisory released on Thursday includes links to a patch for Outlook Express 5.5 users and Outlook Express 6 Gold users. Anyone who has already downloaded and installed the Internet Explorer 6 service pack or the Windows XP service pack announced on Sept. 9 already have the patch, Culp said.
The company updated the advisory, its 58th this year, on Friday morning to explain an error message that appears on computers that have Internet Explorer 6 service pack 1 already installed if the user tries to install the new patch. Microsoft stated that the message--"This update requires Internet Explorer 6.0 to be installed"--is incorrect and should say that the patch is not needed.
