Article ID: 330994 - View products that this article applies to.
This article was previously published under Q330994
For information about the differences between Microsoft Outlook and Microsoft Outlook Express e-mail clients, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/257824/EN-US/ )OL2000: Differences Between Outlook and Outlook Express
Microsoft has released a cumulative patch for Microsoft Outlook Express. This cumulative patch includes updates for the issues that are described in the following Microsoft Knowledge Base article:
328676The patch that this article describes applies to the following versions of Microsoft Outlook Express:
(http://support.microsoft.com/kb/328676/ )MS02-058: OLEXP: An unchecked buffer in Outlook Express S/MIME parsing may permit system compromise
Because of this vulnerability in the MHTML URL Handler, it would be possible to construct a Uniform Resource Locator (URL) that referred to a text file that was stored on the local computer and have that file render as HTML. If the text file contained script, that script would run when the file was accessed. Because the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened in the Local Computer Zone are subject to fewer restrictions than files that are opened in other security zones.
By using this method, an attacker could try to construct a URL and either host it on a Web site or send it by using an e-mail message. In the Web-based scenario, where a user clicked a URL that is hosted on a Web site, an attacker could read or open files that are already present on the local computer. In an e-mail message-based attack, if the user was using Outlook Express 6.0 or Microsoft Outlook 2002 in its default configuration, or Microsoft Outlook 98 or Microsoft Outlook 2000 with the Outlook E-mail Security Update, an attack could not be automated, and the user would still have to click the URL that was sent in the e-mail message. However, if the user was not using Outlook Express 6.0 or Outlook 2002 in its default configuration, or Outlook 98 or 2000 with the Outlook E-mail Security Update, the attacker could cause an attack to trigger automatically without the user having to click the URL in the e-mail message. In both the Web-based and e-mail message-based scenarios, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.
Applying the patch that is described in the following Microsoft Knowledge Base article will help block an attacker from being able to load a file onto a user's computer and prevent the passing of parameters to an executable file.
810847This means that an attacker could only start a program that already existed on the computer (if the attacker was aware of the location of the program) and would not be able to pass parameters to the program for it to run.
(http://support.microsoft.com/kb/810847/EN-US/ )MS03-004: February, 2003, Cumulative Patch for Internet Explorer
MHTML is a standard for exchanging HTML content in e-mail, and, as a result, the MHTML URL Handler function has been implemented in Outlook Express. Internet Explorer can also render MHTML content. However, the MHTML function has not been implemented separately in Internet Explorer - it uses Outlook Express to render the MHTML content.
For more information about this patch, visit the following Microsoft Web site:
Download InformationThe following file is available for download from the Microsoft Download Center:
Download the 330994 package now.
Collapse this imageExpand this image
(http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=330994&DisplayLang=en)Release Date: April 23, 2003
For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
(http://support.microsoft.com/kb/119591/ )How to obtain Microsoft support files from online services
Service Pack InformationTo resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
Installation InformationYou must be logged on as an administrator to install this patch. To verify that the patch is installed on your computer, check the files in the "File Information" section of this article.
Outlook Express 6.0 Service Pack 1To install the Outlook Express 6.0 Service Pack 1 version of this patch, you must be running Microsoft Outlook Express 6.0 Service Pack 1 on a computer that is running Microsoft Windows XP Service Pack 1 (32-bit or 64-bit versions).
Outlook Express 6.0To install the Outlook Express 6.0 version of this patch, you must be running Outlook Express 6.0 on a 32-bit version of Windows XP.
Outlook Express 5.5 Service Pack 2To install the Microsoft Outlook Express 5.5 Service Pack 2 version of this patch, you must be running Microsoft Outlook Express 5.5 Service Pack 2 on a computer that is running Microsoft Windows 2000 Service Pack 3.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/328548/ )How to obtain the latest service pack for Internet Explorer 6
(http://support.microsoft.com/kb/322389/ )How to obtain the latest Windows XP service pack
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
Reboot RequirementWhen you install the patches that are described in this article, you do not have to reboot your computer when the following conditions are true:
Previous Update StatusThis patch supersedes the Microsoft Security Bulletin MS02-058 for Outlook Express and the Cumulative Update for Outlook Express 6.0 SP1.
Setup SwitchesThe update packages for this patch support the following switches:
q330994 /q:a /r:n
File InformationThe English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Internet Explorer 6 SP1 (32-bit)
Date Time Version Size File name -------------------------------------------------------------- 03-Mar-2003 04:24 6.0.2800.1123 75,776 Directdb.dll 03-Mar-2003 04:41 6.0.2800.1165 592,384 Inetcomm.dll 09-Mar-2003 12:42 6.0.2800.1123 47,616 Inetres.dll 03-Mar-2003 09:24 6.0.2800.1123 44,032 Msident.dll 03-Mar-2003 03:57 6.0.2800.1123 56,832 Msimn.exe 11-Oct-2002 02:08 6.0.2800.1158 1,174,528 Msoe.dll 03-Mar-2003 03:57 6.0.2800.1123 228,864 Msoeacct.dll 03-Mar-2003 03:57 6.0.2800.1123 2,479,616 Msoeres.dll 03-Mar-2003 03:57 6.0.2800.1123 91,136 Msoert2.dll 03-Mar-2003 03:57 6.0.2800.1123 93,184 Oeimport.dll 03-Mar-2003 03:57 6.0.2800.1123 55,808 Oemig50.exe 03-Mar-2003 03:57 6.0.2800.1123 31,744 Oemiglib.dll 03-Mar-2003 03:57 6.0.2800.1123 42,496 Wab.exe 03-Mar-2003 03:57 6.0.2800.1123 462,848 Wab32.dll 03-Mar-2003 03:57 6.0.2800.1123 30,208 Wabfind.dll 03-Mar-2003 03:57 6.0.2800.1123 77,824 Wabimp.dll 03-Mar-2003 03:57 6.0.2800.1123 27,648 Wabmig.exe
Internet Explorer 6 SP1 (64-bit)
Date Time Version Size File name -------------------------------------------------------------- 05-Nov-2002 09:53 6.0.2800.1123 251,904 Directdb.dll 19-Feb-2003 03:19 6.0.2800.1165 2,197,504 Inetcomm.dll 05-Nov-2002 09:53 6.0.2800.1123 47,104 Inetres.dll 05-Nov-2002 09:53 6.0.2800.1123 63,488 Msimn.exe 19-Feb-2003 03:37 6.0.2800.1158 4,482,560 Msoe.dll 05-Nov-2002 09:53 6.0.2800.1123 729,088 Msoeacct.dll 05-Nov-2002 09:54 6.0.2800.1123 2,479,104 Msoeres.dll 05-Nov-2002 09:53 6.0.2800.1123 300,032 Msoert2.dll 05-Nov-2002 09:53 6.0.2800.1123 302,080 Oeimport.dll 05-Nov-2002 09:54 6.0.2800.1123 142,336 Oemig50.exe 05-Nov-2002 09:54 6.0.2800.1123 73,728 Oemiglib.dll 05-Nov-2002 09:53 6.0.2800.1123 87,040 Wab.exe 05-Nov-2002 09:53 6.0.2800.1123 1,773,568 Wab32.dll 05-Nov-2002 09:53 6.0.2800.1123 38,912 Wabfind.dll 05-Nov-2002 09:53 6.0.2800.1123 240,640 Wabimp.dll 05-Nov-2002 09:53 6.0.2800.1123 71,680 Wabmig.exe
Internet Explorer 6
Date Time Version Size File name -------------------------------------------------------------- 17-Mar-2003 11:44 6.0.2727.1300 594,944 Inetcomm.dll 17-Mar-2003 11:44 6.0.2720.3000 1,175,040 Msoe.dll
Internet Explorer 5.5 SP2
Note This patch does not contain file dependencies.
Date Time Version Size File name -------------------------------------------------------------- 30-Jan-2003 04:26 5.50.4925.2800 572,176 Inetcomm.dll 15-Oct-2002 07:15 5.50.4922.1500 1,146,640 Msoe.dll
Removal InformationTo remove this patch, use the Add or Remove Programs (Add/Remove Programs) tool in Control Panel. Click Outlook Express Update Q330994, and then click Change/Remove (or Add/Remove).
Article ID: 330994 - Last Review: July 30, 2007 - Revision: 4.9