| Title: | Microsoft Outlook Overrun Vulnerability |
| Date Issued: | July 28, 1998 |
| Last Modified: | July 28, 1998 |
| Code: | AA-98.02 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-98.02 AUSCERT Advisory
Microsoft Outlook Overrun Vulnerability
28 July 1998
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
Microsoft Outlook 98 and Microsoft Outlook Express products available on
various operating systems and platforms including Windows '95, Windows
'98, Windows NT, Solaris and Macintosh.
This vulnerability may allow attackers to execute arbitrary commands on the
vulnerable systems.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information concerning a vulnerability in
Microsoft Outlook 98 and Microsoft Outlook Express products available
on various operating systems and platforms including Windows '95,
Windows '98, Windows NT, Solaris and Macintosh.
Due to insufficient checking while processing mime name tags supplied
in an email message (such as file attachments with long names) a buffer
overrun in Microsoft Outlook 98 or Microsoft Outlook Express may occur.
This vulnerability may be exploited to force those programs to execute
arbitrary commands with the privileges of the user running the program.
AUSCERT is unaware of any incidents in which this vulnerability has
been exploited. However, AUSCERT agrees with the assessment of this
vulnerability by CIAC who state "the ease with which it can be
exploited, the wide distribution of vulnerable readers, and the
potential for damage makes it a very serious problem."
This vulnerability can be exploited when a user is attempting to
download, open or launch a file attachment. Note that the problem is
exploitable by embedding exploit code in attachment identifiers, rather
than the attachment contents.
As the attack occurs via an email message it is unlikely to be stopped
or detected by current firewalls and anti-virus products.
Information regarding which versions of Microsoft Outlook 98 and
Microsoft Outlook Express are vulnerable can be found in Section 3.
2. Impact
The exploit allows an attacker to execute arbitrary commands on the
victim machine with the privileges of the victim user.
3. Workarounds/Solution
Microsoft have issued a Security Bulletin (MS98-008) describing this
vulnerability. This bulletin lists all versions of Microsoft Outlook
98 and Microsoft Outlook Express which are known to be affected and
includes patch/workaround information. It is available from:
http://www.microsoft.com/security/bulletins/ms98-008.htm
AUSCERT encourages sites to install the patches recommended above as
soon as possible.
- ---------------------------------------------------------------------------
AUSCERT thanks Ari Takanen and Marko Laakso of the Finnish Oulu University
Secure Programming Group for drawing this problem and its solution to our
attention. We acknowledge the COAST team and Russ Cooper of NTBugtraq
for their assistance in its resolution.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNcWItCh9+71yA2DNAQHL0wQAh06AsO38/AAU61epiauS+U1D3P5lVW2X
beJdzVmaJ+kgyMGQwmLm4TOrK9yrmWVoM74kTJvWXuHjptsYT8h2n0tLm0QPylfV
eud+V7vzB6rlJUZH/ZJWBuv2F35WjYHmXejU4qUX7YDwenn4BUmrAYJnDjinrfNT
jbGxqs+jpcg=
=vkTd
-----END PGP SIGNATURE-----