Microsoft warns of IE, Outlook flaws

Microsoft has warned of new security glitches in some of its internet software that could expose sensitive data.

The company said a glitch could allow hackers to pilfer information from computers running versions of its Internet Explorer web browser. The Internet Explorer security hole affects versions 5.5 and 6 for Windows. IE 5.01 is not affected by the glitch.

A second problem striking Microsoft's Outlook 2002 email program could let a hacker deny user access to the program. The hacker could do this because a "vulnerability exists in Outlook 2002 in its processing of email header information," according to a Microsoft security bulletin.

Outlook 2002, which is included with Office XP, is affected by the flaw, but Outlook 98, 2000 or Outlook Express are not. Microsoft did not say whether Outlook 11, which is in the hands of about 12,000 beta testers, is vulnerable to the exploit.

The company rated the security glitches as "moderate" threats but recommended all consumers apply patches to prevent hacker attacks.

The new IE glitch comes less than two weeks after the discovery of a more serious security hole that exposed millions of web servers and PCs to potential hacking. That flaw likely hampered the more than four million websites using Microsoft's Internet Information Server software.

The new security hole exists because "the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete," according to a Microsoft bulletin. "This could have the effect of allowing a website in one domain to access information in another, including the user's local system."

Using the exploit, a hacker could create a website that stores information in the browser's cache that would take the internet user to a different web address or domain. The hacker also could deliver this "web object" in Hypertext Markup Language (HTML)-formatted email either opened by the user or simply displayed in Outlook Preview. Outlook Express 6 and Outlook 2002 are not vulnerable to this exploit when used in their default configurations.

The hacker would be able to read any files on the computer or launch programs for which he or she knew the exact location on the compromised system. The hacker would not be able to place programs on the invaded computer or change or delete files, according to Microsoft.

Microsoft has posted a patch for the Internet Explorer flaw. The patch, which is cumulative for other security bugs, can be applied to Internet Explorer 5.5 with Service Pack 2 installed and to IE 6.

In October, GreyMagic Software reported eight security vulnerabilities it deemed "critical" because of a flaw in how Internet Explorer caches Web objects. Wednesday's patch addresses in part the vulnerabilities uncovered by GreyMagic.

Joe Wilcox writes for News.com