Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin (MS98-008)

From: aleph1 () DFW NET (Aleph One)
Date: Wed, 12 Aug 1998 12:16:50 -0500

Date: Wed, 12 Aug 1998 09:51:43 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-008)

Microsoft Security Bulletin (MS98-008)

--------------------------------------------------------------

Long Filename Attachment Vulnerability affecting Microsoft (R) Outlook (TM)
98 and Microsoft Outlook Express 4.x

Last Revision: August 11, 1998

Summary
=======
Recently Microsoft was notified by AUSCERT (http://www.auscert.org.au),
OUSPG (http://www.oulu.fi/Welcome.html) and NTBugtraq
(http://ntbugtraq.ntadvice.com) of a security vulnerability affecting the
way Microsoft email clients handle file attachments with extremely long file
names.

On July 27th Microsoft published patches for Outlook 98 and Outlook Express
4.x that fixed the vulnerability reported to us by OUSPG. As part of our
on-going security review process and analysis, we discovered a variant of
the original vulnerability, and on August 11th, we posted updated versions
of the patches that addresses all known vulnerabilities.

Microsoft strongly recommends that all users download the appropriate
updated patch to be protected against these vulnerabilities. Note: Customers
should obtain these patches by downloading them from the Web sites listed
below, or through some other trusted mechanism, such as through their ISP.
While Microsoft has been sending email notifications to their customers to
alert them to this issue and the availability of a patch, Microsoft does not
send the patches in the email. Customers who receive an email with an
attachment that claims to be a patch, should not install it.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further  secure its customers.

Issue
=====
When the email client receives a malicious mail or news message that
contains an attachment with a very long filename, it could cause the email
client to shut down unexpectedly. These very long filenames do not normally
occur in mail or news messages, and must be intentionally created by someone
with malicious intent. A skilled hacker could use this malicious email
message to run arbitrary computer code contained in the long string.

This issue can cause one of the following to occur when attempting to
download, open or view an mail or news message in Microsoft Outlook 98 or
Microsoft Outlook Express 4.x that has an attachment with a very long
filename.

An error message similar to the following may be displayed:
   This program has performed an illegal operation and
   will be shut down. If the problem persists, contact
   the program vendor.

Outlook 98 or Outlook Express may terminate unexpectedly.

Affected Software Versions
==========================
 - Outlook 98 on Windows (R) 95, Windows 98 and Microsoft
   Windows NT (R) 4.0
 - Outlook Express 4.0, 4.01 (including Outlook Express 4.01
   with Service Pack 1) on Windows 95, Windows 98 and
   Windows NT 4.0
 - Outlook Express 4.01 on Solaris
 - Outlook Express 4.01 on the Macintosh

Additional Details
==================
Outlook 98
----------
When Outlook 98 attempts to download a mail or news message with a file
attachment that has a filename greater than a certain length, Outlook could
terminate unexpectedly. The user does not  have to open the message or
attachment in order for this to occur.

This issue affects all users of Outlook 98.

Outlook 97 is not affected by this issue.

Outlook Express 4.x
-------------------
When the user attempts to open an attachment in Outlook Express mail or news
client and the attachment has a filename longer than a certain number of
characters, the client could terminate unexpectedly.

Outlook Express 4.01 for Microsoft Windows 3.1 and Windows NT 3.51 are not
affected by this issue.

What Microsoft is Doing
=======================
On July 27th Microsoft published patches for Outlook 98 and Outlook Express
4.x that fixed the vulnerability reported to us by OUSPG. This vulnerability
was caused by improper handling of file attachments with very long filenames
in Outlook 98 and Outlook Express 4.x.

As part of our on-going security review process and analysis, we discovered
a variant of the original vulnerability. On August 11th, we posted updated
versions of the patches originally posted on July 27th, which fixes all
known vulnerabilities.

Microsoft has sent this security bulletin (MS98-008) to the
Microsoft Product Security Notification Service. (See
http://www.microsoft.com/security/bulletin.htm for more information about
this free customer service). Microsoft has also sent an email alert to all
registered users of Outlook 98 and Outlook Express.

In addition, Microsoft has notified CERT, an industry security organization,
which distributes information to corporate, government and end-users.

What customers should do
========================
Microsoft highly recommends that customers download and apply the
appropriate updates listed below. Note: Customers should obtain these
patches by downloading them from the Web sites listed below, or through some
other trusted mechanism, such as through their ISP. While Microsoft has been
sending email notifications to their customers to alert them to this issue
and the availability of a patch, Microsoft does not send the patches in the
email. Customers who receive an email with an attachment that claims to be a
patch should not install it.

Microsoft Outlook 98
--------------------
Customers using Microsoft Outlook 98 for Windows 95, Windows 98
or Windows NT 4.0 should download the updated Outlook 98
patch from Office Update at
http://www.microsoft.com/outlook/enhancements/outptch2.asp

Localized versions of the Outlook 98 patch will be released shortly.

Microsoft Outlook Express 4.x
-----------------------------
Customers using Outlook Express 4.0 that comes with Internet
Explorer 4.0 on Windows 95, Windows 98 or Windows NT 4.0 must
first upgrade to Internet Explorer 4.01 SP1
(http://www.microsoft.com/ie/download),
then install the Outlook Express updated patch listed below.

Customers using Microsoft Outlook Express 4.01 or 4.01 SP1 for
Windows 95, Windows 98, Windows NT 4.0 or the Macintosh should
download the available updated patch from the Internet Explorer
security Web site,
http://www.microsoft.com/ie/security/oelong.htm

Windows 98 customers can also get the updated Outlook Express
patch using the Windows Update feature of Windows 98. For more
information, please visit the Windows Update site,
http://windowsupdate.microsoft.com

The patch for Microsoft Outlook Express 4.01 for Solaris will
be released shortly. When this patch is available, it will be
announced at
http://www.microsoft.com/security

Localized versions of the Outlook Express 4.x patch will be released
shortly.

More Information
================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin 98-008, Long Filename Attachment
   Vulnerability affecting Microsoft Outlook 98 and Microsoft
   Outlook Express 4.x (the Web posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-008.htm

 - Microsoft Media Alert, E-mail Security Issue, July 29, 1998,
   http://www.microsoft.com/presspass/press/1998/jul98/securpr.htm

 - Microsoft Internet Explorer Security Web Site,
   http://www.microsoft.com/ie/security

 - Microsoft Internet Explorer Security Bulletin, "Fix
   available for Outlook Express File Attachment issue,"
   http://www.microsoft.com/ie/security/oelong.htm

 - Updated Patch for Outlook 98 Security Issue,
   http://www.microsoft.com/outlook/enhancements/outptch2.asp

 - Frequently Asked Questions,
   http://www.microsoft.com/security/bulletins/emailfaq.htm

Revisions
=========

July 27, 1998: Bulletin Created.
July 29, 1998: Bulletin Updated.
August 11, 1998: Include information on updated patch.

For additional security-related information about Microsoft
products, please visit http://www.microsoft.com/security



----------------------------------------------------------------------------
----


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(C) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: