The patch (Bulletin MS04-009) can be downloaded from here:
http://www.microsoft.com/security/security_bulletins/20040309_office.asp
Here's the pert info.
A vulnerability in the way that Microsoft Outlook 2002 handles a
certain type of URL could allow a remote attacker to execute arbitrary
code on the vulnerable system.
Microsoft Outlook provides a centralized application for managing and
organizing email messages, schedules, tasks, notes, contacts, and
other information. Outlook is included as a component of newer
versions of Microsoft Office and available as a stand-alone product.
Outlook 2002 exposes a vulnerability due to inadequate checking of
parameters passed to the Outlook email client. The vulnerability is
caused by the way a "mailto:" URL is interpreted. An attacker creating
specially formatted "mailto:" URLs can cause Outlook to run privileged
script, ultimately leading to the execution of arbitrary code. The
malicious code could be delivered to the victim via a specially
crafted HTML email message or from an intruder-controlled web page.
Microsoft originally stated that users were only at risk from this
vulnerability when Outlook 2002 is configured as the default mail
reader and when the "Outlook Today" home page is their default folder
home page. Subsequent information has been published that indicates
that this is not true and users in other situations are vulnerable via
a slightly different attack vector.
