“We’re definitely not taking this lightly,’ Microsoft group product manager George Meng told the San Jose Mercury News. “There definitely is a scenario in which someone could do damage to people’s systems.’
Microsoft confirmed the flaw affects versions of Outlook Express shipped with Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows NT 4.0, and Windows NT for DEC Alpha, as well as Windows versions for Macintosh or UNIX machines.
Users of Internet Explorer for Windows 3.1 and Windows NT 3.51 operating systems are not affected, Microsoft said.
The company released a software patch on July 27 but quickly discovered the patch was ineffective. On July 28, Microsoft said an updated patch would be available soon.
Netscape said the flaw affects its Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, or NT platforms and Communicator 4.5 Preview Release 1 on Windows 95, 98, or NT.
Versions of Communicator for Macintosh and Unix platforms are not vulnerable, nor are any versions of Netscape Navigator, the company said.
If you use one of the versions of Communicator that is vulnerable to attack, Netscape recommends that you configure the software to view attachments as links rather than display them in the text of the message. To do that, select the “View” menu, then select “Attachments” and select “As Links.”
Also, if you receive a message that contains an attachment with a filename extending beyond the window width, Netscape said, you should not select the “File” menu under any circumstances. For more information, see Netscape’s web page (see accompanying URL).