Microsoft Outlook 98 and 2000, as well as Outlook Express 4.0x and 5.0x, are email clients that allow remote attackers to read files on the client's system via a malformed HTML message that stores files outside of the cache. This vulnerability can be exploited by sending a maliciously crafted HTML message to an affected user, potentially leading to unauthorized access to sensitive data.
You're affected if you use Microsoft Outlook 98 or 2000, or Outlook Express 4.0x or 5.0x. Check with: file /i *.html (Windows command) or grep -r "HTML" outlook*.exe (command-line search in executable files).
Note: This vulnerability is specific to these versions of the software and not applicable to other Microsoft products.
Upgrade to a newer version of Outlook, such as Outlook 2002 or later.
- Apply the patch from Microsoft's security advisory (http://www.cert.org/advisories/CA-2000-14.html).
- Immediate mitigations:
- Use a reputable antivirus program to scan for malicious attachments and emails.
- Be cautious when opening HTML files or attachments from unknown sources.