Security Guide for Windows - Cache Bypass Vulnerability

Guides
Products
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Download
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Purchase
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Support
- Online Support
- Lost Code
Company
- Awards
- Careers
- Community Forum
- Contact
- Labs
- News
- Partners
- Press Room
- Industry News


	Features Registry Guide Software Guide Scripting Guide Driver Guide Support Forums Newsletters Password Tool Downloads Dictionary Spyware Doctor PC Tools AntiVirus Firewall Plus


	Newsletter Receive regular Windows® updates Your privacy is ensured by our privacy policy

Security Home > General Software > Microsoft Outlook

Cache Bypass Vulnerability

A security vulnerability exists in Microsoft® Outlook® and Outlook Express which could allow a malicious user to send an HTML mail that, when opened, could read, but not add, change or delete, files on the recipient's computer.

Issue

By design, an HTML mail that creates a file on the recipient's computer should only be able to create it in the so-called cache. Files in the cache, when opened, do so in the Internet Zone. However, this vulnerability would allow an HTML mail to bypass the cache mechanism and create a file in a known location on the recipient's disk. If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means.

The vulnerability would not enable the malicious user to add, change or delete files on the user's computer. Only files that can be opened in a browser window, such as .txt, .jpg or .htm files, could be read via this vulnerability, and the malicious user would need to know or guess the full path and file name of every file he wished to read.

The vulnerability resides in a component that is shared by Outlook and Outlook Express, and as a result the vulnerability affects both products. A version of the component that is not affected by the vulnerability ships as part of Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5.

Affected Products

Microsoft Outlook Express 4.x & 5.x, Outlook 98 and 2000

Download

Patch: http://www.microsoft.com/windows/ie/download/critical/patch9.htm

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 20, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

Search Guides

Issue

Affected Products

Download

Further Details