Microsoft has released patches which close a number of critical
vulnerabilities in Microsoft Office Web Components 2000 and separately,
Internet Explorer.  These vulnerabilities can allow a remote attacker, by
use of an email message or web page, to run programs, alter and/or access
data, or wipe the hard drive on a target system.

Any system with Microsoft Office 2000/XP is vulnerable and should have the
patch applied.  Other Microsoft software, including some server software
is also affected, for more information please see the following:

http://www.microsoft.com/technet/security/bulletin/MS02-044.asp

It is recommended that users install the patches using the "Office
Products Updates" site:

http://office.microsoft.com/productupdates/


Also, patches were released yesterday to close critical vulnerabilities in
Internet Explorer.  These are available through the "Windows Update" site.

http://windowsupdate.microsoft.com/

For direct access to the cumulative patch:

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp


Finally, for those using Microsoft Outlook, these vulnerabilities would be
partially mitigated if the Outlook Email Security Update was installed:

http://office.microsoft.com/Downloads/2000/Out2ksec.aspx


--
Chris Russel    | Manager Information Security
[log in to unmask] | York University, Toronto, Canada