Outlook Express provides several components that are used by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer. By creating a vCard and editing it to contain specially chosen data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, attackers could cause the mail client to the run code of their choice on the user's machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. Because the component that contains the flaw ships as part of Outlook Express (OE), which itself ships as part of Internet Explorer, the patch is specified in terms of the version of IE rather than OE or Outlook. There is no means by which a vCard could be made to open automatically, so the attacker would need to entice the recipient into opening the mail, then opening the vCard. As always, best practices recommend against opening untrusted e-mail attachments.