Microsoft Security Bulletin (MS99-060): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS99-060 announces the availability of a patch that serves two purposes:
| • | It eliminates a vulnerability in Microsoft® Outlook Express 5 for Macintosh. The vulnerability causes attachments to HTML mails to be automatically downloaded onto the user's computer. |
| • | It provides replacements for several digital certificates in Internet Explorer 4.5 for Macintosh that are due to expire shortly. |
Microsoft takes security seriously, and is providing the bulletin to inform customers of the issues and what they can do about it.
What's the relationship between the two issues?
The only relationship between them is that both affect Internet Explorer for the Macintosh. (Outlook Express ships as part of Internet Explorer). We've combined them in a single patch to make it more convenient to resolve both issues.
What's the vulnerability?
The vulnerability involves an error in the way Outlook Express 5 for Macintosh handles HTML mails. It would cause attachments to HTML mails to be automatically downloaded onto the user's computer. It does not provide a way for a malicious user to launch the attachments, but it poses a security risk because a user might later run a downloaded file without realizing where it came from.
What causes the vulnerability?
Every HTML mail consists of at least one file that provides text and formatting commands. However, there may also be graphic files and background images. Finally, HTML mail, like other forms of mail, can contain attached files.
By design, the files that provide the mail's text and look and feel are downloaded and processed when the mail is opened. However, attachments should not be downloaded unless the user requests it. This vulnerability results because Outlook Express 5 for the Macintosh automatically downloads all files in HTML mail, including attachments.
Where would the downloaded files be stored?
The location for downloaded files is configurable via Internet Explorer. However, in some cases, the default settings will cause downloaded files to be stored on the desktop.
Could this be used to automatically execute a malicious email attachment?
No. The vulnerability causes the attachment to be downloaded onto the recipient's machine, but doesn't provide a way for a malicious user to cause it to launch. Only the user could launch the file.
Does the vulnerability affect Outlook Express on Windows platforms?
No. It only affects Outlook Express on Macintosh.
Does this affect types of mail other than HTML?
No. HTML mail is the only type of mail affected.
The patch also corrects a problem with digital certificates. What's the issue here?
Internet Explorer provides a number of digital certificates that can be used to set up sessions with secure web sites. Like all digital certificates, these have an expiration date. The patch provides replacements for several certificates that are due to expire soon. More information on this issue is available at the Microsoft MacTopia web site. In addition, the patch ensures that the current industry standard for digital certificates, X.509 version 3, is supported by Internet Explorer 4.5 for Macintosh.
Is this a security vulnerability?
No. All digital certificates have an expiration date. These just happen to be expiring soon.
If this isn't a security vulnerability, why are you including them in the patch?
Microsoft wants to ensure that as many customers as possible get the replacement certificates, so we included them in this patch as a community service.
When do the certificates at issue here expire?
They expire on December 31, 1999.
Is this a Y2K issue?
No. It's coincidental that the issuer chose December 31, 1999, as the expiration date.
What would happen if I didn't replace the certificates?
If you visited a secure web site, you'd get a dialogue telling you that the certificate has expired. You could still choose to use the certificate anyway, if you wanted to, and could still set up a secure session.
Do either of these issues affect users on Windows platforms?
No. The security vulnerability and the digital certificate expiration issue affect only Outlook Express and Internet Explorer for Macintosh.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
To verify that you've installed the patch correctly, check the Microsoft Internet Library (located in the Extensions folder). If it was created on November 30, 1999, and is 2,160,491 bytes in size, the patch is in place.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
