Five weeks after first warning of a hole in its Outlook e-mail program, Microsoft Corp. on Thursday released a patch to fix a flaw in an ActiveX control that could allow attackers to run destructive code on a user's computer.
The defect lies in the Microsoft Outlook View Control, an ActiveX control that is installed with Outlook 98, 2000 and 2002. The control is designed to display information from Outlook, such as messages in the inbox, in a Web browser, according to Microsoft.
By exploiting the flaw an attacker can get full control over Outlook and even run destructive code on a user's machine. To exploit the flaw an attacker would either need to lure a user to a particular Web site, or send an HTML (HyperText Markup Language) e-mail to the user, according to Microsoft.
Microsoft on July 12 first warned about the vulnerability that was discovered by Bulgarian bug hunter Georgi Guninski. The software maker advised users to disable ActiveX controls until a patch was made available. Microsoft now urges all users of affected software to download and install the patch.