If the Outlook Web Access server that the patch is applied to does not have Internet Explorer version 5.0 or later installed, file dependency issues can cause "unexpected consequences", Microsoft said.
Installing the patch on servers with an older version of IE had various results, according to postings in a forum for Exchange administrators on Microsoft's TechNet Web site. There are reports of disabled systems that only show message headers, not the body, as well as general installation problems.
Exchange administrators could have to get used to dealing with several versions of security bulletins and patches before their system is patched and running again. Earlier this year it took Microsoft three patches to plug a similar Outlook Web Access hole in Exchange 2000. Exchange 5.5 was also affected, but that patch worked on the first go.
The original bulletin did not list any caveats. The updated bulletin lists the IE version requirement and recommends users upgrade to IE 5.5 with Service Pack 2 (SP2) or IE 6.0. Hotfix support is only available for these latest versions of IE, Microsoft said.
The patch is to fix a flaw in the way Outlook Web Access handles inline script in HTML e-mail messages. An attacker can hijack a user's mailbox when his message with malicious code is opened using IE and Outlook Web Access, according to Microsoft.