Microsoft Outlook / Outlook Express Cache Bypass Vulnerability

Microsoft has released a patch for Outlook Express 5.01 which will eliminate this vulnerability. The patch requires Internet Explorer 4.01 Service Pack 2 or Internet Explorer 5.01 to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. The patch can be downloaded from the following URL:

If a patch is not available for the version of Outlook or Outlook Express that you are running, it is recommended to take either of the following actions:

By installing Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 on any system other than Windows 2000, users will not be affected by this vulnerability. In addition, users who have configured Outlook to use MAPI only are not affected by the vulnerability, regardless of what version they are using.

The vulnerability can be eliminated by upgrading to either of the following using the default installation:

Internet Explorer 5.01 Service Pack 1 (on any system)

Internet Explorer 5.5 (on any system except for Windows 2000)

Non-default installations will also rectify the vulnerability as long as an installation method that installs upgraded Outlook Express components is chosen. An upgrade to Internet Explorer 5.5 on a Windows 2000 machine will not eliminate the vulnerability because it will not install upgraded Outlook Express components. Windows 2000 users should either install Windows 2000 Service Pack 1 (which will install both Internet Explorer 5.5 and upgrade the Outlook Express components at the same time) or uninstall Internet Explorer 5.5, install Internet Explorer 5.01 and apply Internet Explorer 5.01 Service Pack 1.


Privacy Statement
Copyright 2010, SecurityFocus