Microsoft Corp. on Friday said that a patch it released Thursday for an Outlook Express vulnerability erroneously tells users they need a different version of Internet Explorer in order to install the fix. In fact, the patch requires IE 6, but users who have installed Service Pack 1 for the browser are already protected against the new flaw. Thus when these users try to install the new patch, they receive an error message.
However, the error message is misleading, in that it tells users they need to install IE 6, and not that theyre already protected. A Microsoft spokesman said the company has updated its advisory on the Outlook Express flaw to reflect the SP 1 issue.
The patch, which fixes a vulnerability in the way Outlook Express 5.5 and 6 handle a specific error condition, requires that users have Internet Explorer 6 running on their machines. Yet, several users who are running the required browser version have said they are still getting an error message and cannot install the patch.
When they try to install the fix, a message saying "This update requires Internet Explorer 6.0 to be installed" appears and the installation stops.
"If my experience is true and more universal, the fix for the flaw is flawed," said one user, who asked not to be identified. "I went to install it because it was marked critical. Luckily, I dont use the feature with the flaw."
The user contacted Microsofts support organization about the problem and was informed that he was not the only one having trouble with the patch.
Another customer reported problems trying to install the patch on several systems running various versions of Windows—and all loaded with IE 6 and Outlook Express 6; he received the error message on every installation attempt.
A spokesman for Microsoft, based in Redmond, Wash., did not have an immediate answer for the problem but said the company would look into it.
The patch was released Thursday night.
- Flaw Foundin Outlook Express
- Patches Pose Pesky Problems for OSes
- Microsoft Releases Raft of New Patches
- More Security Coverage