Bugtraq mailing list archives

Microsoft Security Bulletin (MS98-008)

From: aleph1 () DFW NET (Aleph One)
Date: Mon, 27 Jul 1998 11:53:38 -0500

---------- Forwarded message ----------
Date: Mon, 27 Jul 1998 09:22:22 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-008)

Microsoft Security Bulletin (MS98-008)
--------------------------------------

Update Available For Long Filename Security Issue affecting Microsoft
Outlook 98 and Microsoft Outlook Express 4.x

Last Revision: July 27, 1998

Summary
=======
Recently Microsoft was notified by AUSCERT (http://www.auscert.org.au),
OUSPG (http://www.oulu.fi) and NTBugtraq (http://ntbugtraq.ntadvice.com) of
a security issue affecting the way Microsoft email clients handle file
attachments with extremely long file names. When a user attempts to
download, open or launch a file attachment that has a name greater than a
certain number of characters, the action might cause the client to shut down
unexpectedly. Once the client has crashed, a skilled hacker could possibly
run arbitrary code in the computer's memory.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

Issue
=====
This issue can cause one of the following to occur when attempting to
download, launch or view a file attachment in Microsoft Outlook 98 or
Microsoft Outlook Express that has a name that is greater than a certain
number of characters:

1. An error message similar to the following may be displayed:
   This program has performed an illegal operation and will be shut down.
   If the problem persists, contact the program vendor.

2. Outlook 98 or Outlook Express may terminate unexpectedly.

It is difficult but possible for an individual to cause malicious code to be
executed on your computer as a result of this problem. There have not been
any reports of customers being affected by this problem.

Specific Details
================
Outlook 98
----------
When Outlook 98 attempts to download a message with a file attachment that
has a filename greater than a certain length, Outlook could terminate
unexpectedly. The user does not have to open the attachment in order for
this to occur.

This issue will only occur if Outlook 98 is installed with an Internet Mail
Only configuration, or with an Internet Mail service in the
Corporate/Workgroup configuration.

When the user attempts to open an attachment in the Outlook 98 newsreader
and the attachment has a filename longer than a certain number of
characters, the client could crash. (see Workaround for the newsreader
below)

Outlook Express
---------------
When the user attempts to open an attachment in Outlook Express mail or news
client and the attachment has a filename longer than a certain number of
characters, the client could terminate unexpectedly. (see Workaround below)

Affected Software Versions
==========================
   * Outlook 98 on Windows '95, Windows '98 and Windows NT, when
   configured for Internet Mail Only OR Corporate/Workgroup support
   with an Internet Mail service.  Outlook 97 and Outlook for
   Macintosh, Microsoft Exchange Server Edition are not affected by
   this issue.

   * Outlook Express included with Internet Explorer 4.0, 4.01 & 4.01
   with Service Pack 1 on Windows '95, Windows '98 and Windows NT

   * Outlook Express included with Internet Explorer 4.01 on Solaris.

   * Outlook Express included with Internet Explorer 4.01 on the Macintosh.

   * Outlook Express 4.01 for Windows 3.1 is not affected by this issue.

What Microsoft is Doing
=======================
Microsoft has posted an update that protects customers against a potential
problem involving file attachments with extremely long names.

To get the update for Microsoft Outlook 98 for Windows '95, Windows '98 &
Windows NT, see http://support.microsoft.com/support/msfe.
1. On the Microsoft File Exchange page, click "Click Here to Receive a
   file from a Microsoft Technical Support engineer via your web browser."
2. On the "Receiving Files From MFSE" page, type OLMIME in the box, and
   click Continue
3. The name of the file is outpatch.exe

This patch will work for all language versions of Microsoft Outlook 98.

If you use the Outlook 98 newsreader, you must also install the update for
Outlook Express noted below.

Microsoft Outlook Express 4.0 users
-----------------------------------
If you are using Outlook Express 4.0 that comes with Internet Explorer 4.0,
you must upgrade to Internet Explorer 4.01 in order to apply this update.
You can upgrade to Internet Explorer 4.01 with Service Pack 1 at the
following location: http://www.Microsoft.com/ie

To get the update for Microsoft Outlook Express 4.01 for Windows '95,
Windows '98 & Windows NT, see
http://www.microsoft.com/ie/security/oelong.htm

The update for Microsoft Outlook Express 4.01 for the Macintosh & Solaris
will be released shortly, please visit http://www.Microsoft.com/security for
updated information.

What customers should do
========================
Microsoft recommends that customers using Internet Explorer 4.0 immediately
upgrade to Internet Explorer 4.01 and then apply the update. Customers using
Outlook '98  & Internet Explorer 4.01 can directly apply the appropriate
update.

Administrative workaround
=========================
Customers who cannot apply the hot fix to Outlook Express can use the
following workaround to temporarily address this issue:

For Outlook Express
-------------------
Customers who get attachments in e-mail should NOT click on the attachment.
They should save the attachment to their hard drive and then view the
attachment using the Windows Explorer. To save the attachment the user
should:
   1. Select Save Attachment from the File Menu.
   2. Choose the attachment name from the pop up menu and save to a hard
drive.
   3. Bring up the Windows Explorer and view the attachment on the hard
drive.

More Information
================
Please see the following references for more information related to this
issue.

   * Microsoft Security Bulletin 98-008, Update Available For Long
     Filename Security Issue affecting Microsoft Outlook 98 &
     Microsoft Outlook Express 4.x (the web-posted version of this
     bulletin), http://www.microsoft.com/security/bulletins/ms98-008.htm

   * Microsoft Internet Explorer Security Web Site,
     http://www.microsoft.com/ie/security

Revisions
=========
July 27, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Current thread:

Another NEW mIRC bug and ALL mIRC Exploit patches, (continued)
- Another NEW mIRC bug and ALL mIRC Exploit patches Derek Reynolds (Jul 24)
  - Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
  - Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
    - Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
    - Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
    - FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
    - ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
    - [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
    - Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
    - Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
    - Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)

(Thread continues...)