Exchange Server administrators who use X.509 V1 Exchange Server Security certificates for encryption within their organizations might want to deploy the latest update for Outlook 2002. Microsoft Security Bulletin 03-003 ("Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure") explains that Outlook 2002 doesn't correctly handle X.509 V1 security certificates generated by the Exchange Key Management Server. Instead of encrypting a message sent between users who have such certificates, Outlook 2002 sends the message unencrypted. The problem isn't a security threat to a computer but rather the danger that unintended recipients might gain access to the confidential contents of the message.
Microsoft rates this vulnerability as moderate, noting that Secure MIME (S/MIME) certificates are more widely used than V1 Exchange Server Security certificates and that the problem doesn't affect S/MIME encryption. The problem occurs on the client, not the server, and affects only Outlook 2002, not Outlook 2000 or Outlook 98.
A patch issued by Microsoft this week fixes the flaw. It also includes a hotfix previously available only from Microsoft Product Support Services (PSS) and resolves some other problems for a wide range of environments, not just for Exchange clients. This patch is the second public update Microsoft has issued since Office XP Service Pack 2 (SP2). The Microsoft article "OL2002: Overview of the Outlook 2002 Update: January 22, 2003" describes the problems that the patch addresses and gives download details. The administrative version of the patch requires either Office XP SP2 or SP1; the end-user patch requires SP2.
The update also fixes two problems that can cause a system to crash or hang. The first problem fixed is that the mso.dll file can crash in certain situations when the user switches between two custom forms while the preview pane is on. The second is that the system can crash or hang when you use Data Access Object (DAO) code with forms that have calculated fields.
Another fix lets you find an item in another user's large shared mailbox folder by displaying the folder, then pressing a key to go to items that begin with that letter. This "quick key" search didn't always behave as expected in other users' folders before the fix. Three more fixes for users collaborating with Exchange let you recall a message sent by someone for whom you are a delegate, list a resource properly in the Location field when meeting requests include an invitation to the resource, and display reminders that weren't appearing in some Windows 2000 Server Terminal Services configurations.
For IMAP users, the January update solves an annoying problem with usernames that contain spaces. Some IMAP servers let account names have spaces, but Outlook formerly stripped the spaces, turning "Evelyn Montez" into "EvelynMontez." Another IMAP fix makes the default print style in mail folders the same as it is in an Exchange mailbox or Personal Folders (.pst) file-–the memo style, for printing individual messages, instead of the table style, which prints a line for each message.
Also posted in the Microsoft Office Download Center this week is another corrected version of the outlhol.exe file, dated January 22, that Outlook 2000 clients can use to extend the holidays on their Outlook Calendar from 2003 through 2007. If you're an administrator thinking of providing users with this update, you might want to review the holidays for the countries and religions your users are most likely to import and correct any remaining errors.
Microsoft Security Bulletin 03-003
("Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure")
"OL2002: Overview of the Outlook 2002 Update: January 22, 2003"