Microsoft: Email patch flawed

The company warns that the patch intended to fix a security hole in its Outlook Express email program does not fix a related problem.

2 min read
Microsoft has warned that a patch posted yesterday to fix a security hole in its Outlook Express email program does not repair a related problem.

The company said users can download the current patch, intended to fix a potential security hole, and that a new patch will be available shortly. Microsoft executives did not provide any additional details on the related problem and were not immediately available for comment.

The original patch was intended to fix a potential problem involving file attachments that have very long names. When a user attempts to download, open, or launch a file attachment that has a name longer than 200 characters, the action might cause the email software to crash. At that point, a skilled hacker could possibly run arbitrary code in the computer's memory, according to a security bulletin posted yesterday by Microsoft.

But "after careful analysis, a similar issue was found that is not fixed by the current patch. We will issue an update to this patch shortly," the company said in a statement published on its security Web site.

"The patch does fix the specific problem," said Outlook product manager George Meng. "But there are other variants of the issue," that it doesn't address, he said.

He would not elaborate on the other "variants," saying that to do so could potentially make the software vulnerable to hackers.

The patch is for the security bug as it affects Outlook Express, the free email client for Internet Explorer, not Outlook 98, the latest messaging client for Microsoft Office.

Meng said a new patch will be posted by the end of the week.

For now, the company is directing users to download a temporary patch offered currently on the Web site as a solution to the initial issue, but cautions users to return to the page for more information as it becomes available.

When a new version of the patch is available, the software giant will also notify customers through the Microsoft Security Alert Notification Service and on the Microsoft Security Advisor Web site.

Since it was discovered last month by a team of researchers at a Finnish university, tests have shown the security bug's presence in three of the most popular email programs, Microsoft Outlook Express and Outlook 98 and Netscape Communications' current email offering in its Communicator Web software package.

Researchers are still checking to see whether other email programs, such as Eudora, also contain the flaw.

Netscape has posted detailed instructions to its Web site explaining how users can avoid the problem.