Unchecked Buffer in Outlook May Run Arbitrary Code

Reported July 19 by USSRLabs

Microsoft Outlook Express 4.0 - 5.01
  • Microsoft Outlook 97, 98, and 2000


    An unchecked buffer in Outlook may allow a malformed date parameter to run arbitrary code to execute on the system. The overrun occurs when a string is appended to the end of the Date parameter in the SMTP mail header as seen in the example below.


    The following series of SMTP mail commands will initiate the buffer overrun when the user receives the email via an unpatched version of Outlook:

    MAIL FROM: someone@somedomain
    RCPT TO: target@someotherdomain
    Date: Thu,19 Jul 2000  11:11:00

    USSRLabs has also made available a series of client-side tools that demonstrate the problem:


    Microsoft issued FAQ# FQ00-043 regarding this problem along with a patch and Support Online article Q267884, which also pertain to security issues MS00-043 and MS00-046.

    Microsoft"s bulletin states that "this vulnerability can be eliminated by taking any of the following actions:

    • Installing the patch available at
    • Performing a default installation of Internet Explorer 5.01 Service Pack 1,
    • Performing a default installation of Internet Explorer 5.5
      on any system except Windows 2000.

    Note: The patch requires IE 4.01 SP2 (http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm) to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q267884"

    Discovered by USSRLabs