Microsoft Security Bulletin (MS99-060)

--------------------------------------



Patch Available for "HTML Mail Attachment" Vulnerability

Originally Posted: December 22, 1999



Summary

=======

Microsoft has released a patch that addresses two issues:

 - It eliminates a security vulnerability in the Microsoft(r)

   Outlook Express mail client for Macintosh systems. The

   vulnerability could allow attachments to HTML mails to be

   automatically downloaded onto the user's computer.

 - It provides replacements for several digital certificates

   that are included in Internet Explorer for Macintosh, and

   will expire on December 31, 1999.



Frequently asked questions regarding this patch can be found at

http://www.microsoft.com/security/bulletins/ms99-060faq.asp.



Issue

=====

There are two issues here. The first is a security vulnerability found in

Outlook Express 5 for Macintosh. By design, when an HTML mail is received,

the mail content is downloaded onto the user's machine and processed.

However, attachments to the mail should not be downloaded unless the user

requests it. A flaw in Outlook Express 5 for Macintosh causes it to download

all content, including attachments. The vulnerability does not provide a way

for a malicious user to launch the downloaded attachments.



The second issue involves several digital certificates that are included in

Internet Explorer 4.5 for Macintosh. These certificates are due to expire on

December 31, 1999. The patch provides updated certificates, and also adds

support for X509 V3 certificates. There is no security vulnerability

associated with this issue; Microsoft is simply providing the replacement

certificates and X.509 V3 support as a community service.



It is important to note that both the security vulnerability and the

certificate expiration issue affect only Outlook Express and Internet

Explorer on the Macintosh; the Windows versions of these products are not

affected.



Affected Software Versions

==========================

 - Microsoft Internet Explorer 4.5 for Macintosh

 - Microsoft Outlook Express 5.0 for Macintosh (available as a

   stand-alone product or bundled with Internet Explorer 5.0 for Macintosh)



Patch Availability

==================

 - http://www.microsoft.com/mac/download



NOTE: Additional security patches are available at the Microsoft Download

Center



More Information

================

Please see the following references for more information related to this

issue.

 - Frequently Asked Questions: Microsoft Security Bulletin MS99-060,

   http://www.microsoft.com/security/bulletins/MS99-060faq.asp.

 - Internet Explorer 4.5 Security Issue,

   http://www.microsoft.com/mac/IESecIssue/default.asp.

 - Microsoft Knowledge Base (KB) article Q249082,

   Outlook Express 5 for Macintosh Automatically downloads HTML

   Mail Attachments,

   http://support.microsoft.com/support/kb/articles/q249/0/82.asp.

   (Note: It may take 24 hours from the original posting of this bulletin

   for this KB article to be visible.)

 - Microsoft Security Advisor web site,

   http://www.microsoft.com/security/default.asp.



Obtaining Support on this Issue

===============================

This is a fully supported patch. Information on contacting Microsoft

Technical Support is available at

http://support.microsoft.com/support/contact/default.asp.



Revisions

=========

 - December 22, 1999: Bulletin Created.



--------------------------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER

EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS

SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,

INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN

IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR

LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE

FOREGOING LIMITATION MAY NOT APPLY.



(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use