[thelist] FW: Microsoft Security Bulletin (MS99-060)
Scott Dexter
sgd at ti3.com
Wed, 22 Dec 1999 23:24:15 -0600
Mac-related ....
sgd
--
think safely
> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif@MICROSOFT.COM]
> Sent: Wednesday, December 22, 1999 2:54 PM
> To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin (MS99-060)
>
>
> The following is a Security Bulletin from the Microsoft
> Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from
> an unattended
> mailbox.
> ********************************
>
> Microsoft Security Bulletin (MS99-060)
> --------------------------------------
>
> Patch Available for "HTML Mail Attachment" Vulnerability
> Originally Posted: December 22, 1999
>
> Summary
> =======
> Microsoft has released a patch that addresses two issues:
> - It eliminates a security vulnerability in the Microsoft(r)
> Outlook Express mail client for Macintosh systems. The
> vulnerability could allow attachments to HTML mails to be
> automatically downloaded onto the user's computer.
> - It provides replacements for several digital certificates
> that are included in Internet Explorer for Macintosh, and
> will expire on December 31, 1999.
>
> Frequently asked questions regarding this patch can be found at
> http://www.microsoft.com/security/bulletins/ms99-060faq.asp.
>
> Issue
> =====
> There are two issues here. The first is a security
> vulnerability found in
> Outlook Express 5 for Macintosh. By design, when an HTML mail
> is received,
> the mail content is downloaded onto the user's machine and processed.
> However, attachments to the mail should not be downloaded
> unless the user
> requests it. A flaw in Outlook Express 5 for Macintosh causes
> it to download
> all content, including attachments. The vulnerability does
> not provide a way
> for a malicious user to launch the downloaded attachments.
>
> The second issue involves several digital certificates that
> are included in
> Internet Explorer 4.5 for Macintosh. These certificates are
> due to expire on
> December 31, 1999. The patch provides updated certificates,
> and also adds
> support for X509 V3 certificates. There is no security vulnerability
> associated with this issue; Microsoft is simply providing the
> replacement
> certificates and X.509 V3 support as a community service.
>
> It is important to note that both the security vulnerability and the
> certificate expiration issue affect only Outlook Express and Internet
> Explorer on the Macintosh; the Windows versions of these
> products are not
> affected.
>
> Affected Software Versions
> ==========================
> - Microsoft Internet Explorer 4.5 for Macintosh
> - Microsoft Outlook Express 5.0 for Macintosh (available as a
> stand-alone product or bundled with Internet Explorer 5.0
> for Macintosh)
>
> Patch Availability
> ==================
> - http://www.microsoft.com/mac/download
>
> NOTE: Additional security patches are available at the
> Microsoft Download
> Center
>
> More Information
> ================
> Please see the following references for more information
> related to this
> issue.
> - Frequently Asked Questions: Microsoft Security Bulletin MS99-060,
> http://www.microsoft.com/security/bulletins/MS99-060faq.asp.
> - Internet Explorer 4.5 Security Issue,
> http://www.microsoft.com/mac/IESecIssue/default.asp.
> - Microsoft Knowledge Base (KB) article Q249082,
> Outlook Express 5 for Macintosh Automatically downloads HTML
> Mail Attachments,
> http://support.microsoft.com/support/kb/articles/q249/0/82.asp.
> (Note: It may take 24 hours from the original posting of
> this bulletin
> for this KB article to be visible.)
> - Microsoft Security Advisor web site,
> http://www.microsoft.com/security/default.asp.
>
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
>
> Revisions
> =========
> - December 22, 1999: Bulletin Created.
>
> --------------------------------------------------------------
> ------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
> CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> SPECIAL DAMAGES, EVEN
> IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your
> registration
> to the Microsoft Product Security Notification
> Service. You may
> unsubscribe from this e-mail notification service at any
> time by sending
> an e-mail to
> MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing
> the request,
> and can be anything you like.
>
> For more information on the Microsoft Security
> Notification Service
> please visit
> http://www.microsoft.com/security/services/bulletin.asp. For
> security-related information about Microsoft products,
> please visit the
> Microsoft Security Advisor web site at
> http://www.microsoft.com/security.
>