A component shared by Outlook and Outlook Express, Inetcomm.dll, contains an unchecked buffer in the functionality that parses e-mail headers when downloading mail via either POP3 or IMAP4. By sending an e-mail that overruns the buffer, a malicious user could cause either of two effects to occur when the mail is downloaded from the server by an affected e-mail client: if the affected field is filled with random data, the e-mail could be made to crash; if the affected field is filled with carefully crafted data, the e-mail client could be made to run code of the malicious user's choice. The vulnerability affects all Outlook Express users and all Outlook users whose mail clients are configured to use either POP3 or IMAP4. Outlook users who have configured Outlook to use only MAPI services are unlikely to be affected by the vulnerability. Despite this, Microsoft recommends that such customers apply one of the corrective steps discussed in the Patch Availability section, primarily because the patch protects against other vulnerabilities that affect all Outlook users, regardless of the mail protocol they use. A version of Inetcomm.dll that is not affected by the vulnerability ships as part of Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5. Customers who do not wish to upgrade to Outlook Express 5.5 should install the patch.
|File Size||963.96 kB|