Bugtraq mailing list archives

Microsoft Security Bulletin MS01-012

From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 22 Feb 2001 19:36:02 -0800

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Outlook, Outlook Express Vcard Handler Contains
            Unchecked Buffer
Date:       22 February 2001
Software:   Outlook, Outlook Express
Impact:     Run code of attacker's choice
Bulletin:   MS01-012

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-012.asp.
- ----------------------------------------------------------------------

Issue:
======
Outlook Express provides several components that are used both by it
and Outlook, if Outlook is installed on the machine.  One such
component, used to process vCards, contains an unchecked buffer.

By creating a vCard and editing it to contain specially chosen data,
then sending it to another user, an attacker could cause  either of
two effects to occur if the recipient opened it. In the less serious
case, the attacker could cause the mail client  to fail.  If this
happened, the recipient could resume normal operation by restarting
the mail client and deleting the  offending mail. In the more serious
case, the attacker could cause the mail client to run code of her
choice on the user's  machine. Such code could take any desired
action, limited only by the permissions of the recipient on the
machine.

Because the component that contains the flaw ships as part of OE,
which itself ships as part of IE, the patch is specified in  terms of
the version of IE rather than OE or Outlook.

Mitigating Factors:
====================
 - There is no means by which a Vcard could be made to open
   automatically.


Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-012.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Ollie Whitehouse of @Stake (www.atstake.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOpXajo0ZSRQxA/UrAQHE/wf/UAy7GXCnezaGbWOjxjpgK5vuhCs/e37J
3hfsPFLqtxMqA/1L0OtnkhSlGIjIciwkCD0A7Uq6wFp+deA/Squ+zCrucZHGwBGr
Czw/7+W7lZ7FzZBF2jbs6ZNjyM3jyYE8TalsMlOFO3SXwXdX1j/PEeJ3jC5dnYuj
d1mjvCMGjdhFSFm0zcOVPhOPci4AXjGNSah5tJIu2u5gzCnfCh7DEurMajr5cjnY
qLq6tMEwgninJJNIxSjl6p5v9Va0rlZ+du6SDfYoSgC2cXgxWe7uo9qFrkzxK9ER
BzVhwe37jOp21P6qkCB5Rbymvrbr3748SHcoBMTXHZ1M0WZFe92oXg==
=2/Vm
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Current thread:

Microsoft Security Bulletin MS01-012 Microsoft Product Security (Feb 23)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin MS01-012 joelmoses (Feb 26)
- Re: Microsoft Security Bulletin MS01-012 http-equiv () excite com (Feb 26)
  - Re: Microsoft Security Bulletin MS01-012 Philip Stoev (Feb 27)
    - Re: Microsoft Security Bulletin MS01-012 Chris Timmons (Feb 28)
- Re: Microsoft Security Bulletin MS01-012 foobar (Feb 28)