Microsoft has issued a patch for a security flaw that affects users of Microsoft Outlook 2000 and 2002. If Microsoft Word is used as the E-mail editor, a condition could exist that would allow an attacker to run potentially malicious software on the user's system.
The vulnerability exists because of potentially conflicting security settings in Word and Internet Explorer, Microsoft says. When displaying an HTML E-mail in Outlook, the security settings of Explorer are applied, which won't allow scripts to run. However, when forwarding or replying to such documents and Word is the E-mail editor, scripts aren't blocked, the company says.
An attacker could exploit this vulnerability by sending a malformed HTML E-mail containing a script to an Outlook user who's using Word as the E-mail editor. If the user replies to or forwards the E-mail, the script would then run, according to the security bulletin.
More information and a patch that remedies the security hole can be found on Microsoft's Web site.