Public Update Fixes Email Header Flaw

Last week, Microsoft issued the first public update for Outlook 2002 since Service Pack 2 (SP2). The December 4, 2002 update fixes a security vulnerability that leaves Outlook open to a Denial of Service (DoS) attack and also rolls up several recent hotfixes.

Microsoft Security Bulletin MS02-067, "E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866)", explains that a message with an Internet header constructed in a particular way could block the user from reading any other mail on his or her mail server. Microsoft gives this security problem a moderate severity rating. It affects only Outlook 2002, not earlier versions, and only users with POP, IMAP, or HTTP mail accounts. Outlook running with only an Exchange account is not at risk.

For POP users, this public update is important because it includes the post-SP2 hotfix originally issued in late September to resolve a problem with Outlook crashing on Windows XP systems while downloading POP messages. This patch also fixes a problem that prevents third-party Messaging API (MAPI) providers from forcing Outlook to retrieve new messages automatically. Administrators might be pleased to see that the update restores a feature added in SP1 but broken in SP2-–the ability to prevent users from creating or accessing a Personal Folders (.pst) file. Microsoft article "OL2002: Administrators Cannot Prevent Users from Creating Outlook Data Files" describes how to add a DisablePst registry value to enable this feature. The patch includes several other minor fixes previously issued as separate hotfixes.

SP2 is a prerequisite for this update. Apparently, you can install the patch over SP1 in some cases, but you might then encounter problems with HTTP mail accounts, such as MSN, Hotmail, or Outlook Web Access (OWA) accounts. The "Microsoft Office XP Resource Kit" has the full-file version download for the patch and an article about how to apply SP2 to administrative setup points.

I'm encouraged to see Microsoft once again issuing a public update between Microsoft Office XP service packs. The last one for Outlook 2002 was in October 2001.

Meanwhile, Microsoft is also preparing a public update for Outlook 2000 SP3, which was released a few weeks ago, to fix a serious problem that can cause CPU usage to hit 100 percent on machines running Outlook 2000 in Internet Mail Only (IMO) mode. The cause is apparently a timing problem related to reminders, and users might see odd reminder behavior as well as the CPU spike. Microsoft article "OL2000: (IMO) Outlook Reminders Are Problematic After You Install Office Service Pack 3" says the fix is due December 18. Until then, Microsoft suggests that affected users switch their mail support mode from IMO to Corporate/Workgroup (CW). Users who have IMAP accounts or who use WinFax SE to send faxes won't be able to use this workaround because CW mode doesn't support those features. Another possible workaround is to remove reminders from all items. Keep in mind that you can set reminders on items in four folders: Inbox, Calendar, Contacts, and Tasks.

Microsoft Article "OL2002: Outlook 2002 Update: December 4, 2002"
"Microsoft Office XP Resource Kit"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.