Re: MS04-013 needs revision?

...None of our systems run or are installed with Outlook Express,
 and so the patch was never applied...


And did you read?...

<QP>
What systems are primarily at risk from the vulnerability?

**By default, Outlook Express is installed on all supported Windows systems**...

I do not use Outlook Express to read e-mail or newsgroups. Am I at risk from this vulnerability?

Yes. Because Outlook Express is installed by default, customers will be at risk until this update is applied. An attacker could exploit this vulnerability through a **malicious Web site** or through HTML e-mail, regardless of whether Outlook Express is the default e-mail reader.
</QP>
Source: http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx

I suggest you install MS04-013 or a newer Cumulative Security Update for Outlook Express (e.g., MS04-018, MS05-030), as appopriate for each OS.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

Javier Sanchez wrote:
Currently we have system that are being compromised with the
MHTMLRedir.Exploit (Symantec) which is supposedly patched with MS04-013.
However the MS04-013 article clearly states that this article is to be read
by customers with Microsoft Outlook Express installed. None of our systems
run or are installed with Outlook Express, and so the patch was never
applied, but yet the compromise is still possible. It seems that this is
just a problem of wording and language within the article that needs to be
revised. Unfortunately it is too late for us, but hopefully others will
apply this patch to systems not running OE.

this example will actually try to compromise your system so beware (you need
to have the patch installed and an updated AV engine running on your
workstation to be spared):
1. Go to www.fun-photo.com
2. Click on "Most Viewed"
3. welcome to my hell 

.

Relevant Pages

  • Re: Installing todays Office 2000 security update (KB892842) with
    ... Went back to updates now it only states that the Outlook Collaboration Data ... Objects (CDO) Update: ... Now if we can figure out how to get CDO update to stick (when I install it, ... patch) then it can include it in the file re-build. ...
    (microsoft.public.officeupdate)
  • Re: How Do I Programmatically Detecting Security Patches
    ... if you install a service pack or hotfix that completely ... I would recommend using WUA and asking it what you are ... vulnerability is fixed, not how it was fixed or what fixed it. ... Also, using WUA, if there is patch A which superscedes patch B and the ...
    (microsoft.public.win32.programmer.kernel)
  • RE: kb969907 update
    ... my test clients have already the patch kb969907 installed. ... test user that after that patch is installed and the user will start outlook, ... it says outlook is preparing for the first start. ... installed) - did the install only to find not only was Outlook getting stuck ...
    (microsoft.public.outlook.general)
  • Re: Is this a virus?
    ... Subject: Current Internet Critical Patch ... Outlook and MS Outlook Express. ... Recommendation Customers should install the patch at the ...
    (microsoft.public.security.virus)
  • Re: Microsofts Early Xmas Present.
    ... Microsoft advisory stated that the vulnerability only affected certain ... configurations (if you were using the Index Server). ... More than a few people didn't install IIS patches because the vulnerability ... get to figure out how to deploy the patch. ...
    (Incidents)
Loading