All, For those not on MS's security mailing list (or those who want another take on this) Microsoft have released a new security advisory affecting Outlook Express v5.5, v6.0, Outlook 98, 2000, 2002 and Internet Explorer, specifically using the MHTML standard, or MIME encapsulation of HTML. The associated advisories are: MS03-014 http://www.microsoft.com/technet/security/bulletin/MS03-014.asp MS03-015 http://www.microsoft.com/technet/security/bulletin/MS03-015.asp The advisories list the associated roll-up patches which I strongly advise is installed on all OE clients. Essentially, the MHTML URL tag (MHTML://) can be used to run local scripts, which will then run in the IE local computer security zone, which has few restrictions as to what it can't do. If the IE cumulative patch listed in MS03-004 is not installed the attacker could also locate a script file onto the local computer for it to run. Also note that Outlook 98 and Outlook 2000 without the email security update, and Outlook 2002 and OE v 6.0 not in its default configuration can run this URL simply by opening the message. Other versions need to click on the URL to be affected. Put together this means that under some standard configurations an attacking script can be copied and run with few restrictions, using the users privileges on the local computer - ie. VERY BAD! Given how easy it is to utilize this flaw, expect nasty worms using it very soon from the script kiddies. And if the user is a local or domain admin, utoh! An interesting omission from this advisory is any patch/update/config change for Outlook clients. Assuming that you have the email security update installed, or Outlook 2002 is in its default config (ie. open HTML mail in the restricted sites zone), then clicking the link will still activate the script. Guaranteed that with the right prompt a large number of users will click it anyway - "see Avril topless" yeehar! I will advise if/when Outlook patches become available. Jamie.