MS04-009 (828040): Microsoft has announced a security weakness in Outlook 2002, which is available separately as well as in Office XP, that can allow an attacker to take control of a PC if a malicious Web page or e-mail message is viewed.
The problem is rated by Microsoft as “important,” one step below the most severe rating of “critical,” although it affects only a single product: Outlook 2002 with Service Pack 2. Upgrading Outlook 2002 to Service Pack 3 eliminates the vulnerability, as does installing a patch that Microsoft released on Mar. 9 as part of its regular monthly security bulletins.
The hole is not present if Office XP has been upgraded to Service Pack 3, nor is there a vulnerability in Office 2000 with SP3, Office 2003, or Outlook 2003, according to Microsoft.
Additionally, the problem only arises if the user has the default folder “home page” of Outlook 2002 set to “Outlook Today” instead of “Inbox.” Unfortunately, when Outlook 2002 is installed and configured without setting up any e-mail accounts, “Outlook Today” is the default.
You can work around the weakness, without installing Microsoft’s update if you wish, by making sure all installations of Outlook 2002 use “Inbox” as the default folder home page, as described in the Workarounds section of bulletin MS04-009. However, no negative side-effects of installing MS04-009 have yet been reported, so the workaround may be more trouble than simply rolling out the update. More info
Windows Media Services open to attack in W2K Server