Bug threatens Outlook users

A flaw in Microsoft's Outlook Express has left users vulnerable to malicious attacks. The flaw is in a component of the email software which processes virtual business cards, or vcards.

An attacker can exploit this weakness to 'hide' damaging code in a vcard. The user's mail client could be made to crash, or, more seriously, the attacker could cause the mail client to run code on the user's machine. According to Microsoft, such code could take any desired action, limited only by the permissions of the recipient on the machine. However, the vcard needs to be opened for these effects to occur, and there is no means by which one could be made to open automatically. The flaw effects Outlook 97, Outlook 2000, Outlook Express 5.01, and Outlook Express 5.5. Microsoft is advising users to download a patch - see http://www.microsoft.com/technet/security/bulletin/ms01-012.asp .