The software giant warned customers they should apply updates for both Internet Explorer (IE) and Outlook Express to fix critical security vulnerabilities that could let attackers run programs on a victim's PC.
"The No. 1 thing that we want people to walk away with is to install the updates so their machine is protected," said Stephen Toulouse, security program manager for Microsoft's security response center.
Last year, Microsoft began to release advisories midweek due to customer comments indicating such a policy makes it more likely patches can be applied quickly. Both advisories can be found on the company's Web site.
Internet Explorer 5.01, 5.5 and 6.0 all have four flaws, the worst of which could allow an attacker to take control of a person's computer if the victim were to browse to a Web site or read an HTML (Hypertext Markup Language) e-mail created by the attacker.
A so-called buffer overflow vulnerability, which an attacker can exploit by sending more input to a program than the application expects, could allow the owner of a Web site to run code on the person's computer. Buffer overflows are an old type of vulnerability that still crop up frequently in programs. The flaw occurs in a component of Internet Explorer that delivers Web addresses to the browser from other sources--for instance, if a person clicked on a URL in an e-mail or a Word document.
Two other vulnerabilities allow an attacker to place code on a Web site that would cause IE to upload a file from the victim's computer. Another flaw affects how the application handles third-party files such as Adobe Systems' portable document format.
The flaw in Outlook Express occurs in the way the application handles the encapsulation of HTML in e-mails. A software error in the component allows an attacker to run programs on the victim's computer.
Even Windows users who don't read or send mail using Microsoft Outlook Express or browse with Internet Explorer should install the update, the advisories stressed.
The advisories are the software giant's 14th and 15th this year. This is the company's second year of trying to secure its myriad applications under its Trustworthy Computing Initiative.
