To exploit this vulnerability, the attacker would have to create a specially formed HTMLâ??based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability.
In the worst case, this vulnerability could allow an attacker to load malicious code onto a user's system and then to execute the code. The code would run in the context of the user. Therefore, the code is limited to any action that the legitimate user could take on the system. Any limitations on the user's account would also limit the actions of any arbitrary code that the attacker could execute.
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
- You have applied the patch included with Microsoft Security bulletin MS03-040
- You are using Internet Explorer 6 or later
- You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.