[thelist] If you are using Outlook....

Anthony Baratta Anthony at Baratta.com
Wed Mar 10 21:10:03 CST 2004 

better get it patched. This patch is NOT available via WindowsUpdate.

********************************************************************
US-CERT Technical Cyber Security Alert TA04-070A
-- Microsoft Outlook mailto URL Handling Vulnerability
********************************************************************

Apply a patch

    Apply the appropriate patch as specified by Microsoft Security
    Bulletin MS04-009.

    http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

Workarounds

    Microsoft recommends the following workarounds for users who are
    unable to apply the patches:

      * Do not use the "Outlook Today" folder home page in Outlook 2002
        You can help protect against this vulnerability by turning off the
        "Outlook today" folder home page in Outlook 2002.

          1. In the "Folder List" window of Outlook, right-click on
             "Outlook Today" or "Mailbox - [User Name]"

          2. Select Properties for "Outlook Today" or "Mailbox - [User
             Name]"

          3. Select "Home Page" tab

          4. Uncheck "Show home page by default for this folder"

          5. Repeat for all other "Folder List" items labeled "Outlook
             Today" or "Mailbox - [User Name]"

        Impact of Workaround: The "Outlook Today" folder home page would
        no longer be available.

      * If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later,
        read email messages in plain text format to help protect yourself
        from the HTML email attack vector

        Microsoft Outlook 2002 users who have applied Service Pack 1 or
        later and Outlook Express 6.0 users who have applied Service Pack
        1 or later can enable a feature that will enable them to view all
        non-digitally-signed email messages or non-encrypted email
        messages in plain text only. Digitally-signed email messages and
        encrypted email messages are not affected by the setting and may
        be read in their original formats.

        Instructions for enabling these settings can be found at the
        following locations:

           + Outlook 2002 - Microsoft Knowledge Base Article 307594

           + Outlook Express 6.0 - Microsoft Knowledge Base Article 291387

        Impact of Workaround: Email that is viewed in plain text format
        cannot contain pictures, specialized fonts, animations, or other
        rich content. Additionally:

           + The changes are applied to the preview pane and to open
             messages.

           + Pictures become attachments to avoid loss of message content.

           + The object model (custom code solutions) may behave
             unexpectedly because the message is still in Rich Text Format
             or in HTML format in the mail store.
---
Anthony Baratta
President
Keyboard Jockeys

"Conformity is the refuge of the unimaginative."

More information about the thelist mailing list