More IE & Outlook flaws
by Arie Slob
Hello Windows users,
Just a few weeks ago, Microsoft issued the "November Cumulative Patch for Internet Explorer" as I reported in the Newsletter of the 23rd November.
This week saw the release of the "December Cumulative Patch for Internet Explorer", this time for Internet Explorer version 5.5 and 6.0 (version 5.01 was not affected).
The new patch was needed, because a new security flaw was spotted, which could allow hackers to pilfer information from computers running the Internet Explorer Web browser versions listed. According to Microsoft "the flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user's local system. Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user's local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous."
On the same day Microsoft issued a patch for Outlook 2002 (not Outlook Express). A flaw exists in the way that Outlook 2002 processes email header information that could allow an attacker to send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances.
Microsoft rated both these flaws as "moderate" threats, but recommends that all users apply the appropriate patches. This rating (in relation to the Internet Explorer vulnerability) drew criticism of Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions, who posted on the BugTraq forum: "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft."
To me it seems he is quite right, and I would urge all Windows-Help.NET Newsletter readers to treat this as "critical" instead, and apply the patch immediately. More info on the availability of the patch can be found below.
Instead of just seeing text, you'll be hearing your friends talk to you in a voice you assign to them. You can also adjust the speed or pitch of incoming messages for each buddy. IM Speak! can also speak any text from your clipboard, import new voices for buddies, and work with translation dictionaries to translate incoming text into different languages and accents. IM Speak! is compatible with MSN and AOL IM.
download [5.02 MB] a trial version now!
December 2002 Cumulative Patch for Internet Explorer 5.5 and 6.0
Microsoft released a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model.
Affected Software Versions
Microsoft Internet Explorer 5.5 and 6.0
E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail
Microsoft released a patch for Microsoft Outlook 2002, which contains a bug that an attacker could use to cause the Outlook client to fail under certain circumstances.
Affected Software Versions
Microsoft Outlook 2002
Recent Support BBS Postings
IP Configuration (trouble shooting) - Windows XP
Outlook Express Auto responding? - Internet Explorer
Haven't Formatted in 7 Years - General Discussions
Digital cameras opinions - General Discussions
Automatic windows logon... where'd it go? - Windows XP
Web Site Updates
These pages were added/updated in the past 2 weeks. Information on previously updated/added pages is available on the What's New? page for 1 month.
Added: Video Games and Kids -- Part 3
Added: Microsoft Security: December 2002 Cumulative Patch for Internet Explorer 5.5 and 6.0
Added: Microsoft Security: E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail
Added: Create a Password Recovery Disk
Added: Display the Quick Launch Bar
Added: Change the Look of the Control Panel
Added: Change the Look of the Start menu
Added: Choose a Power Scheme