The Internet Explorer vulnerability affects versions 5.5 and 6.0 but not 5.01. It is addressed in a cumulative patch for Internet Explorer that can be found at http://www.microsoft.com/technet/security/bulletin/MS02-068.asp.
The new vulnerability involves a flaw in IE's cross-domain security model that arises from IE's incomplete security checks when certain object caching techniques are used on Web pages. The flaw could result in information disclosure.
The flaw in Microsoft's flagship e-mail client exists in the way Outlook 2002 processes e-mail header information. To execute this denial of service attack, an attacker would need to send a specially malformed e-mail to the Outlook 2002 user. The message would cause Outlook 2002 to fail and the e-mail client application would continue to fail until the message is removed from the server. The message removal could be done at the server level by an administrator or by the client using another e-mail client, such as Outlook Web Access or Outlook Express.
The patch for the Outlook 2002 vulnerability can be found at
About the Author
Scott Bekker is editor in chief of Redmond Channel Partner magazine.