|
|
|
|
| |
Microsoft has released a patch that addresses two issues:
- It eliminates a security vulnerability in the Outlook Express mail client for Macintosh systems. The vulnerability allows attachments to HTML e-mails to be automatically downloaded onto the user's computer.
- It provides replacements for several digital certificates that are included in Internet Explorer for Macintosh, and will expire on December 31, 1999. |
| |
Credit:
The information was provided by: Microsoft Product Security
|
| |
There are two issues here. The first is a security vulnerability found in Outlook Express 5 for Macintosh. By design, when an HTML mail is received, the mail content is downloaded onto the user's machine and processed. However, attachments to the mail should not be downloaded unless the user requests it. A flaw in Outlook Express 5 for Macintosh causes it to download all content, including attachments. The vulnerability does not provide a way for a malicious user to launch the downloaded attachments.
The second issue involves several digital certificates that are included in Internet Explorer 4.5 for Macintosh. These certificates are due to expire on December 31, 1999. The patch provides updated certificates, and also adds support for X509 V3 certificates. There is no security vulnerability associated with this issue; Microsoft is simply providing the replacement certificates and X.509 V3 support as a community service.
It is important to note that both the security vulnerability and the certificate expiration issue affect only Outlook Express and Internet Explorer on the Macintosh; the Windows versions of these products are not affected.
Affected Software Versions
- Microsoft Internet Explorer 4.5 for Macintosh
- Microsoft Outlook Express 5.0 for Macintosh (available as a stand-alone product or bundled with Internet Explorer 5.0 for Macintosh)
Patch Availability
- http://www.microsoft.com/mac/download
What causes the vulnerability?
Every HTML mail consists of at least one file that provides text and formatting commands. However, there may also be graphic files and background images. Finally, HTML mail, like other forms of mail, can contain attached files.
By design, the files that provide the mail's text and look and feel are downloaded and processed when the mail is opened. However, attachments should not be downloaded unless the user requests it. This vulnerability results because Outlook Express 5 for the Macintosh automatically downloads all files in HTML mail, including attachments.
Where would the downloaded files be stored?
The location for downloaded files is configurable via Internet Explorer. However, in some cases, the default settings will cause downloaded files to be stored on the desktop.
Could this be used to automatically execute a malicious email attachment?
No. The vulnerability causes the attachment to be downloaded onto the recipient's machine, but doesn't provide a way for a malicious user to cause it to launch. Only the user could launch the file.
Does the vulnerability affect Outlook Express on Windows platforms?
No. It only affects Outlook Express on Macintosh.
Does this affect types of mail other than HTML?
No. HTML mail is the only type of mail affected.
The patch also corrects a problem with digital certificates. What's the issue here?
Internet Explorer provides a number of digital certificates that can be used to set up sessions with secure web sites. Like all digital certificates, these have an expiration date. The patch provides replacements for several certificates that are due to expire soon. More information on this issue is available at the Microsoft MacTopia web site. In addition, the patch ensures that the current industry standard for digital certificates, X.509 version 3, is supported by Internet Explorer 4.5 for Macintosh.
What would happen if I didn't replace the certificates?
If you visited a secure web site, you'd get a dialogue telling you that the certificate has expired. You could still choose to use the certificate anyway, if you wanted to, and could still set up a secure session.
Do either of these issues affect users on Windows platforms?
No. The security vulnerability and the digital certificate expiration issue affect only Outlook Express and Internet Explorer for Macintosh.
|
|
|
|
|
|
|
|
|
|
