Related Resources • Glossary of Terms • Email Help Center • New Computer Center

Elsewhere on the Web • Security Bulletin

Some days, it's just got to be tough to be Microsoft®. Like heroic Peter in "The Hole in the Dike", the proverbial finger in the dam is in the form of yet another security patch. (One can almost visualize a multitude of Microsoft software engineers spread out over the Windows operating system much like in the game Twister, each valiantly trying to stem the flow of security breaches). This latest vulnerability is found in HTML email, as a result of its handling by Internet Explorer.

HTML email does more than deliver pretty stationery, clickable links, and banner advertising to our inboxes. It can be used to embed script viruses such as the Kak worm and, coupled with Internet Explorer, can automatically download and execute files on your system. "Look ma, a hands-free virus." Microsoft has tested and confirmed the vulnerability in Internet Explorer versions 5.01 and 5.5. If you have an earlier version, you're not exactly off the hook either. Microsoft only tested versions it "supports". In plain language, that means you can take your chances with the older version or upgrade to 5.01 or 5.5 and apply the patch. Worse, if you attempt to install the patch on a non-supported version of Internet Explorer, a message will be displayed erroneously stating that the patch is not needed.

When an HTML email is opened, Internet Explorer provides the necessary means to display the email message in the mail client (for example, in Outlook Express). Internet Explorer first determines the type of attachment. If it's a non-executable attachment, it will automatically render it. Thus, by editing the attachment information, persons are able to trick Internet Explorer into automatically executing the email attachment(s). Of course, anyone going to the trouble of modifying these indicators likely has malicious intentions.

Specifically, the vulnerability allows an unscrupulous person to attach an executable file to an HTML-rendered email message, then make certain modifications to the MIME headers to make it appear that the attachment is not an executable. (MIME is an acronym for Multipurpose Internet Mail Extensions, a widely used Internet standard for encoding binary files as e-mail attachments). When such an email is read, the attachment runs automatically with no prompts to the user. Theoretically, the attachment would have free reign of the system and could do anything the user has rights to do, including deleting files, formatting the drive, etc.

The exploit only works if the security zone settings for the mail client allow file downloads to occur - by default this is enabled. Disabling file downloads in email will prevent the exploit and only impacts the undesirable automatic downloads. By changing this setting, users can continue to share files via email without risk of files automatically downloading and executing. The Email Help Center provides instructions for configuring the security zones for Microsoft Outlook and Outlook Express.

For complete details on the vulnerability, or to download the patch, see Microsoft Security Bulletin (MS01-020)