Microsoft patches holes in IE, Outlook

Microsoft once again has welcomed Wednesday with patches for security flaws discovered in its Windows applications.

The software giant warned customers that they should apply updates for both Internet Explorer and Outlook Express to fix critical security vulnerabilities that could let attackers run programs on a victim's PC.

"The No. 1 thing that we want people to walk away with is to install the updates so their machine is protected," said Stephen Toulouse, security program manager for Microsoft's security response center.

Last year, Microsoft began to release advisories midweek due to customer comments indicating such a policy makes it more likely that patches can be applied quickly. Both advisories can be found on the Redmond, Wash., company's Web site.

Internet Explorer 5.01, 5.5 and 6.0 all have four flaws, the worst of which could allow an attacker to take control of a person's computer if a victim were follow links to a Web site or read an HTML (Hypertext Markup Language) e-mail created by an attacker.

A so-called buffer overflow vulnerability, which an attacker can exploit by sending more input to a program than the application expects, could allow the owner of a Web site to run code on the person's computer. Buffer overflows are an old type of vulnerability that still crop up frequently in programs. The flaw occurs in a component of Internet Explorer that delivers Web addresses to the browser from other sources--for instance, if a person clicked on a URL in an e-mail or a Word document.

Two other vulnerabilities allow an attacker to place code on a Web site that would cause the browser to upload a file from a victim's computer. Another flaw affects how the application handles third-party files such as Adobe Systems' portable document format.

The flaw in Outlook Express is in the way that the application handles the encapsulation of HTML in e-mails. A software error in the component allows an attacker to run programs on a victim's computer.

Even Windows users who don't read or send e-mail using Microsoft Outlook Express or browse with Internet Explorer should install the update, the advisories stressed.

The advisories are the software giant's 14th and 15th this year. This is the company's second year of trying to secure its myriad of applications under its Trustworthy Computing Initiative.

[badisbad]

outlook express

most of my work is done over the internet. when a job comes in from my company. i click on to customers e-mail address, it takes me to outlook express. when i've completed my project i click send. a yellow error comes up and states we no longer send e-mail through hot mail. now my project is stuck in outlook express for ever. frankly i'm sick and tired of it . brad

[tutenstein]

This is a test

This is a test of a reply to a comment.

[tutenstein]

This is a test of a reply to a comment

This is a test of a reply to a comemnt.

[tutenstein]

This is another test after resin-web install

This is another test after resin-web install.

[tutenstein]

A top level comment after sageLibs.xml

A top level comment after sageLibs.xml installation.

[tutenstein]

A reply to story after sageLibs install

A reply to story after sageLibs install.

[tutenstein]

Reply to comment after sageLibs install

Reply to comment after sageLibs install.