Microsoft re-released the patch, this time as Critical, after some new attack possibilities came to light. According to Microsoft, "This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th."
Full information on the patch is available under TechNet article MS04-009.
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
If you did not update your MS Office to Service Pack 3 installed, you need to run this patch.
A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.
The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP.
Mitigating factors:
- Users who read e-mail messages in plain text format in are at less risk from the HTML e-mail attack vector as they would need to click on a link in an e-mail message to be affected.
- If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.
Updated On: 04.07.14