According to Microsoft, a vulnerability in Outlook Express (and affecting Outlook as well) could allow an attacker to cause the mail client to run code of his or her choice on the affected user’s machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. Microsft has designated the security patch as a critical update.

Microsoft issued a security bulletin to alert users, stating, "If an attacker created a vCard containing specially malformed data and then emailed it to someone who uses an affected version of Outlook or Outlook Express, the data in the vCard could, when opened, could cause code of the attacker’s choice to run on the recipient’s machine. Such code could take any action the user himself could take, including adding, changing or deleting data, communicating with web sites, reformatting the disk drive, and other actions." Such action could also include placing a remote access trojan on the user's machine, or infecting it with a virus.

Affected versions are:

Microsoft Outlook 98
Microsoft Outlook 2000
Microsoft Outlook Express 5.x