Security 10817 Published by

On July 12, 2001, Microsoft released the original version of this bulletin, to advise customers of a vulnerability affecting Microsoft Outlook and to recommend that they temporarily use an administrative procedure to protect their systems. A patch that eliminates the vulnerability is now available. An updated version of the bulletin was released on August 16, 2001, to announce the availability of the patch and to advise customers that the administrative procedure is no longer needed.

The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine.

Read more