Notified: March 30, 2001 Updated: March 30, 2001
Not Affected
Mulberry does not use Internet Explorer to render HTML within Mulberry
itself and is not vulnerable to these kinds of problems. Users can save
HTML attachments to disk and then view those in browsers susceptible to
this problem, but this requires the direct intervention of the user to
explicitly save to disk - simply viewing HTML in Mulberry does not expose
users to these kinds of problems. Our HTML rendering is a basic styled-text only renderer that does not
execute any form of scripts. This is true on all the platforms we support: Win32, Mac OS (Classic & X), Solaris, linux. An official statement about this is available on our website at:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 30, 2001 Updated: April 05, 2001
Affected
Notes doesn't use IE to display HTML formatted email. If a user's browser preferences specify Notes with Internet Explorer, then the version of Internet Explorer that is installed on the user's workstation is used for browsing. It is launched as an ActiveX component within Notes, but Notes does not ship any IE code. If Internet Explorer is chosen as the user's preferred browser, then Notes launches Internet Explorer in a separate window and opens the link. The Notes client does not need to be upgraded but the user must upgrade their version of Internet Explorer to prevent against this vulnerability, which they should do anyway.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional information at this time.
Updated: July 17, 2002
Affected
Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp A patch is available for this issue at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp Note: The above patch has been supserseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023. IE 6 is not vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
As noted in the MS01-020 Caveats section of the advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must upgrade to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 users must apply this patch. Users of IE who have not previously upgraded will receive an incorrect message stating that they do not need to apply this patch. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it). From MS01-020: Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.
Notified: March 30, 2001 Updated: April 12, 2001
Not Affected
We have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons: We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment. Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code. As a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 30, 2001 Updated: April 02, 2001
Not Affected
Opera does not use Internet Explorer or any other external software to render html.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 30, 2001 Updated: March 30, 2001
Unknown
It is unclear at this time what impact, if any, this vulnerability has on Eudora clients.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.