By Diane Poremsky
Early last week Microsoft released Office XP Service Pack 3 along with security bulletin MS04-009. The exploit described in the security bulletin affects only Outlook 2002 SP2, so updating to SP3 takes care of one worry but may create more problems.
MS04-009 addresses a security vulnerability which exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.
Since users are only at risk when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page, you can disable Outlook Today by unchecking the option to show a folder homepage by default to fix this vulnerability.
Note that if an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. This means users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges. This is why no one recommends logging on to administrator accounts for normal usage, even though it is more convenient.
Only Outlook 2002-SP2 is affected by this exploit, Outlook 98, 2000, and 2003 are not affected, however, anyone who doesn't use Outlook Today can disable it as a precaution. To disable Outlook Today, right click on the top level folder in the mailbox or personal folders. (It's the folder with the little house icon.) Choose Properties, then Home Page and remove the check from "Show home page by default for this folder".
As I mentioned earlier, updating to Outlook 2002 SP3 fixes the exploit but may create more problems. After installing Outlook 2002 SP3 you many see the "a program is trying to access...allow it for 1 minute" security warning.
This warning message is a result of Outlook 2002 SP3 adding additional properties to the list of those that are affected by the security features, properties which are blocked by Outlook 2003. Anti-spam add-ins, which read the message body as part of their anti-spam scanning, are a common cause, although others are affected by the changes as well. Many add-ins were updated following the release of Outlook 2003 and should work with SP3, but many others need re-engineered to work with Outlook 2002 SP3. Until the add-ins which cause this warning are updated, you'll need to either live with the warning or disable the add-in, as SP3 cannot be uninstalled. If you use a version of Windows that supports System Restore, you may be able use a restore point to remove SP3.
