The potential breach, revealed by security consultants @Stake, could allow malicious code to be executed on corporate PCs. It could also be used to delete files or transfer information, which essentially allows a hacker the same freedom as the machine's legitimate user.
Because of the integration between Internet Explorer and Outlook, this email vulnerability must be fixed using a browser patch. The Internet Explorer update is now available from Microsoft.
The flaw occurs only if a user opens a vCard electronic business card attachment containing malicious code. It relies on a buffer overflow occurring in the 'birthday' field on opening; @Stake advises that a temporary measure is to block all vCard attachments.
The security of Outlook was called into question last year by other revelations about buffer overflows and automatic execution of malicious code sent as an email attachment.
Microsoft's latest security bulletin can be found at:
The patch can be downloaded from: