Before installing the January 2007 critical patch for Outlook there are some problems.
The January 2007 security patch for Outlook 2003, Outlook 2002 (XP) and Outlook 2000 deals with three different problems with Outlook – one of which is very serious.
But one of the fixes in the 9 January 2007 updates is just to disable the affected feature entirely – not a true fix at all. Thankfully the feature isn’t used much, but it’s hardly a proper fix.
First, here’s links to the download patches:
Microsoft Office 2000
patch needs Service Pack 3
-
Microsoft Outlook 2000 — Download the update (KB921593)
Microsoft Office XP
patch needs Service Pack 3
- Microsoft Outlook 2002 — Download the update (KB921594)
Microsoft Office 2003
patch needs Service Pack 2
- Microsoft Outlook 2003 — Download the update (KB924085)
The one patch covers three security problems with Outlook – all are rated ‘critical’ by Microsoft but one is particularly bad.
The ‘denial of service’ problem is caused by a specially made email coming to Outlook – simply receiving that message will cause Outlook to crash – you don’t have to read the message.
Now the ‘gotcha’
Another of the patched trio of troubles deals with the Advanced Find feature in Outlook. You can save an Outlook search criteria to a .oss file so it can be retreived for later use.
Sadly a oss file can be rigged to give access to your computer. An attacker could put an oss file in an email or web site and, if they can convince you to open it, get access to the computer.
Microsoft’s solution to this problem is to disable the Advanced Find feature entirely! The 9 January 2007 patch sets a registry setting to turn off Advanced Find.
