VNU Net: Microsoft hit by further Outlook bug | Linux Today

VNU Net: Microsoft hit by further Outlook bug

Written By
Web Webster
Web Webster
Jul 28, 2000

By John Leyden, VNU Net

Microsoft has issued a patch for a vulnerability in its Outlook
messaging software that could allow an attacker to use a message
formatted in HTML to read files on a victim’s machine.

In a security notice on the issue, online security advisory
service CERT warned that the “Cache Bypass” vulnerability could be
used in conjunction with other techniques to allow files, which
could be Trojan Horse-style malicious code, to be placed on an
unwary user’s computer.

This is possible because the vulnerability allows attackers to
use HTML-formatted messages to store files outside a cache where
they are subject to more permissive security policies.

CERT said that the vulnerability is potentially damaging. “When
exploited, this vulnerability allows an attacker to store an HTML
file in an area that is not protected by the policies of the
‘Internet Zone’. This file may then be used to open arbitrary files
on [a] machine and send the contents back to the attacker.”

However, other security experts were careful to downplay the
seriousness of the flaw.

Matthew Pemble, an ex-military ethical hacker, and now senior
information security specialist at IS integration, said: “This
vulnerability would only allow you to read files whose default
reader is Internet Explorer – such as HTML and text files. This is
nowhere near as severe as the buffer overflow vulnerability that
affected Outlook users last week.”

“The latest vulnerability is academic until it is incorporated
in a virus,” he added.

Like the buffer overflow issue, the root cause of the latest
problem is a component that is shared by both Outlook and Outlook
Express. As a result, the vulnerability affects both products.

Microsoft has advised users to either install a patch, which it
has made available online, or to upgrade to default versions of IE
5.01 Service Pack 1 or 5.5, on any system except Windows 2000.

Separately, Microsoft has issued a patch for the buffer overflow
vulnerability allowing users to protect themselves without a full
version upgrade. This vulnerability was severe because, left
uncorrected, it could allow users to become infected with email
viruses before they download email.

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.