Eric Sites here did some quick and dirty testing to see what versions of Outlook are vulnerable to the VML exploit. Here’s our current list:
Outlook 2007 – 12.0.417.1006, Can view VML but apparently not vulnerable.
Outlook 2002 – not vulnerable
Outlook 2000 – not vulnerable
Outlook 2003 11.5608.8028 – not vulnerable
Outlook 2003 11.5608.5606– not vulnerable
Outlook 2003 11.6568.6568 SP2 – not tested
Outlook 2003 11.8010.8036 SP2 – vulnerable
So, ironically, your most patched version of Outlook 2003 is the most likely at risk.
A mitigation is turning off the Preview Pane and reading all your email in plain text. Or, simply disable VML — easy and quite effective. We’ve done it company-wide ourselves.
Alex Eckelberry