MS flags OE 5 security threat from http://macweek.zdnet.com/1999/11/07/outlook.html Microsoft Corp. has revealed a security issue with the Mac version of Outlook Express 5.0 that may leave users of the free Internet e-mail client open to invasions by potentially destructive Trojan horses. According to an e-mail sent out Friday evening by Waggener Edstrom, Microsoft's PR firm, "Microsoft is taking this issue very seriously and is working diligently to provide a solution to this issue that will enable our customers to continue having a safe and easy computing experience. "In the meantime, OE 5 users should ensure they do NOT open any file in their Downloads Folder without knowing where the file came from," the e-mail warns. According to the document, a security gap in Open Express 5.0 "makes it possible for a malicious sender to send [a multilingual HTML] message to an OE 5 user that will automatically download a file to the user's default Download folder without the OE 5 user's knowledge. (The location of the default Download folder is set in IE or Internet Config.) "The downloaded file can be anything, including an executable. This scenario is similar to malicious users sending out messages containing harmful attachments in that the user has to explicitly take action (opening the attachment, or in this case, opening the downloaded file) in order for any damage to occur - the file is NOT automatically opened or executed on the user's machine. "Since the user is not aware that the file has been downloaded, the user may encounter the file later and open/launch it. Since the file can be an executable, launching it could cause damage to the user's machine. Users should NEVER open any file in the Downloads Folder unless they know where the file came from. "Again, we are taking this issue very seriously and are working on a solution. In the meantime, OE 5 users should ensure they do NOT open any file in their Downloads Folder without knowing where the file came from," the message concludes. Microsoft was not immediately available for additional comment.
