The vulnerability affects Outlook 98, 2000 and 2002, the e-mail application included in Microsoft's Office desktop software. It involves an ActiveX feature called Microsoft Outlook View Control, which is designed to let people view mail or calendar information through Web pages.
Because of the glitch, the control could allow an attacker to delete mail or change calendar information, running code on the target machine via a Web page or HTML-based e-mail, the software company said in a security bulletin posted on its Web site Thursday.
ActiveX is a set of technologies that provides tools for linking desktop applications to the Web.
Microsoft, which said no attacks due to the glitch have been reported, is nonetheless developing a patch for the security flaw. While the fix is being prepared, the company recommends that Outlook users disable ActiveX controls in the Internet Zone of Internet Explorer to protect their machines from a Web-based attack.
To protect against an e-mail assault, the Redmond, Wash., company recommends that Outlook 98 and 2000 users install the Outlook E-mail Security Update. An e-mail security update automatically installed with Outlook 2002 also defends against this line of attack.