Cyrusoft Not Affected

Notified:  March 30, 2001 Updated: March 30, 2001

Status

Not Affected

Vendor Statement

Mulberry does not use Internet Explorer to render HTML within Mulberry itself and is not vulnerable to these kinds of problems. Users can save HTML attachments to disk and then view those in browsers susceptible to this problem, but this requires the direct intervention of the user to explicitly save to disk - simply viewing HTML in Mulberry does not expose users to these kinds of problems. Our HTML rendering is a basic styled-text only renderer that does not execute any form of scripts. This is true on all the platforms we support: Win32, Mac OS (Classic & X), Solaris, linux. An official statement about this is available on our website at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software Affected

Notified:  March 30, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

Notes doesn't use IE to display HTML formatted email. If a user's browser preferences specify Notes with Internet Explorer, then the version of Internet Explorer that is installed on the user's workstation is used for browsing. It is launched as an ActiveX component within Notes, but Notes does not ship any IE code. If Internet Explorer is chosen as the user's preferred browser, then Notes launches Internet Explorer in a separate window and opens the link. The Notes client does not need to be upgraded but the user must upgrade their version of Internet Explorer to prevent against this vulnerability, which they should do anyway.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional information at this time.

Microsoft Corporation Affected

Updated:  July 17, 2002

Status

Affected

Vendor Statement

Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp A patch is available for this issue at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp Note: The above patch has been supserseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023. IE 6 is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

As noted in the MS01-020 Caveats section of the advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must upgrade to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 users must apply this patch. Users of IE who have not previously upgraded will receive an incorrect message stating that they do not need to apply this patch. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it). From MS01-020: Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

Netscape Communications Corporation Not Affected

Notified:  March 30, 2001 Updated: April 12, 2001

Status

Not Affected

Vendor Statement

We have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons: We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment. Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code. As a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Opera Software Not Affected

Notified:  March 30, 2001 Updated: April 02, 2001

Status

Not Affected

Vendor Statement

Opera does not use Internet Explorer or any other external software to render html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

QUALCOMM Unknown

Notified:  March 30, 2001 Updated: March 30, 2001

Status

Unknown

Vendor Statement

It is unclear at this time what impact, if any, this vulnerability has on Eudora clients.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.