MS06-076: Cumulative Security Update for Outlook Express

by Bharat Suneja

As part of its monthly security patch releases, Microsoft has published a security bulletin (MS06-076) – a cumulative update for Outlook Express. Even if you use Microsoft Outlook for email and do not use Outlook Express at all, do remember this is installed by default on all Windows computers and as such it makes sense to apply this patch.

Details of vulnerability as published in the above bulletin:

Windows Address Book Contact Record Vulnerability – CVE-2006-2386

A remote code execution vulnerability in a component of Outlook Express could allow an attacker who sent a Windows Address Book file to a user of an affected system to take complete control of the system.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Alternatively, if there’s a reason you can’t or don’t want to apply the patch, a workaround exists: remove the Windows Address Book (.WAB) file association as described in the bulletin (remove the .WAB subkey in HKCR). As a result users will be unable to open Address Books by double-clicking them.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: