FRAMINGHAM (07/27/2000) - Microsoft Corp. has issued a stand-alone patch that it said fixes a recently discovered hole in its Outlook and Outlook Express e-mail software that created the potential for attackers to infect systems with malicious code that could be executed without the unsuspecting victims having to do anything to initiate an attack.
The so-called buffer overrun vulnerability -- which initially was discovered by an Argentinian security software company -- opens the popular Internet e-mail software to attacks when messages are being downloaded from a server to Outlook or Outlook Express clients. Recipients wouldn't have to open or even preview an infected message in order for their systems to be exploited, according to an advisory issued last week by Microsoft.
The patch that eliminates the hole was released by Microsoft last Friday and can be downloaded from the company's Web site. Microsoft is also advising users to perform a default installation of Internet Explorer 5.01 Service Pack 1 or to upgrade to IE 5.5 on any system except Windows 2000.
Earlier last week, before the stand-alone patch became available, users had to do a full-version upgrade of either IE 5.5 or the IE 5.01 service pack to work around the security hole. Microsoft said the vulnerability affects all users of Outlook Express, plus Outlook users who rely on the Post Office Protocol Version 3 and the Internet Mail Access Protocol Version 4 to access their Internet mail.