Microsoft has released security patches to address two security vulnerabilities affecting Internet Explorer, Outlook Express, and Office applications for both the "Classic" Mac OS (Mac OS 8 and Mac OS 9) and Mac OS X. Microsoft is urging all users of these programs to download and apply the patches at once.
Vulnerable software includes:
The first security vulnerability could make it possible for malicious HTML code in a Web page, HTML email message, or Office document to exploit a buffer overflow; theoretically, an attacker could exploit this buffer overflow to perform such tasks on your computer as deleting or changing files, or installing and running software without your permission. (Under Mac OS X, the attacker would have the same privileges as the current user, which could limit the vulnerability.) In the case of Office documents (Word files, Excel spreadsheets, or PowerPoint presentations), the user would have to open the malicious document to be exposed; both Microsoft and common sense both say you should never open files from unknown sources.
The second vulnerability affects only Internet Explorer 5.1 under Mac OS 8 or Mac OS 9. It could make it possible for an attacker to run an existing AppleScript script on your computer, but only if the script's name and complete path were known. (The attacker cannot install a script; it must already be available.) The most common "well-known" scripts are those in the Speakable Items folder; they perform tasks like quitting applications, restarting the computer, emptying the Trash, and more.
The patches for Microsoft Office 2001 (263 K), Office X (1.8 MB), and Outlook Express (new version 5.0.4; 8.6 MB), and patches for Mac OS 8 and OS 9 users of Internet Explorer (new version 5.1.4; 5.4 MB), are available for download from Microsoft's Macintosh download site. Mac OS X users should apply the patch to Internet Explorer for Mac OS X via the Software Update feature of Mac OS X, available via System Preferences. Mac OS X users must still manually download and apply the patches for Office or other applications.
Microsoft says versions of Internet Explorer prior to 5.1, of Outlook Express prior to 5.0.1, and of Office prior to Office 98 are no longer supported, have not been tested, and may or may not be subject to these vulnerabilities.
The current security patches, when applied, also patch all previously noted vulnerabilities in these versions of the Microsoft applications.
Microsoft is offering free user support by phone to U.S. and Canadian callers at 866/727-2338. International users should contact their local subsidiary for information about obtaining free support for downloading and installing these patches.