Bugtraq mailing list archives
FW: Alert: Arbitrary code execution via email or news
From: patrick () pine nl (Patrick Oonk)
Date: Mon, 27 Jul 1998 18:08:30 +0200
-----Original Message----- From: Windows NT BugTraq Mailing List [mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM] On Behalf Of Russ Sent: Monday, July 27, 1998 5:55 PM To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: Alert: Arbitrary code execution via email or news A buffer overrun has been detected in Outlook Express (v4.72.2106.4 & v4.72.3110.1), and Netscape Mail (v4.05 & 4.5b1). So far only the Macintosh versions have proven unaffected. Ari Takanen and Marko Laakso of the Finnish Oulu University Secure Programming Group <http://www.ee.oulu.fi/groups/ouspg> discovered it back in late June. They have been working closely with AUSCERT and the vendors. CIAC, and COAST/CERIAS (via Gene Spafford) have also been involved. NTBugtraq was brought in quietly to help facilitate communications back on July 3rd, and using its contacts and discretion, has helped to facilitate speedy fixes and involvement of the appropriate groups. The exploit method is slightly different in the two different products (MS versus NS), but it centers around the malicious use of tags used to identify an attachment. The attachment itself is not relevant, its contents need not contain any exploit. The tags that identify the attachment contain the exploit code. Therefore, the exploit code can be invoked without actually opening the attachment itself (and in at least one test scenario, without even opening the message!). The exploit has been demonstrated in email and news, and has been confirmed by both Microsoft and Netscape. COAST has suggested that Eudora is thus far unaffected by the same problem. There are too many possible avenues of exploit to document here, and many have not yet been tested. Attachment type does not appear to matter, so it could as easily be done with a .txt file as a .gif, or .doc, or .zip. Thus far there is no demonstration exploit available in the wild, thank god, but its likely that such a program will appear. As long as affected versions of the exploitable software continue to exist (and there is enough of them around to say they'll likely exist for a long time, like the version shipped with Windows '98), the chances of a new Internet Worm loom over our heads. Meanwhile, look for an MS Security Bulletin shortly (its due to be released at 9:00am PST) indicating the location of a fix. Netscape have said that the fix for Netscape Mail will be included in their v4.06 release, due out around August 7th. They indicated they may put something up on their website about this today. The exploit does work on Windows NT, as well as Windows '95/'98, and with Outlook Express on Solaris 2.x. Microsoft indicated they found an issue with Outlook '98 also, look for details of this in their bulletin. I have written a very long editorial of the issue and will post it to the NTBugtraq website later today. For now, hold off on asking questions until after the MS Bulletin is released. Cheers, Russ
Current thread:
- Alert: New Source Bug Affect Sun JWS, (continued)
- Alert: New Source Bug Affect Sun JWS Aleph One (Jul 25)
- Annex DoS Albert Nubdy (Jul 25)
- Re: Annex DoS Matt Carter (Jul 26)
- Security warning: Netscape https & proxies Henrik Nordstrom (Jul 26)
- Another NEW mIRC bug and ALL mIRC Exploit patches Derek Reynolds (Jul 24)
- Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
- Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
- FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
- ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
- [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
- Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
- Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
- Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)