Microsoft warns of new Outlook bug

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2285401.html?tag=st.ne.1002.bgif.ni

By Paul Festa
Staff Writer, CNET News.com
July 18, 2000, 4:45 p.m. PT

Microsoft today warned that a bug in its Outlook and Outlook Express
Internet software could potentially render useless its "safe
computing" advice to help protect PCs against virus attacks.

Microsoft and other software sellers and security organizations have
long warned people that they should protect themselves against email
viruses by not opening attachments they are not expecting.

But under a potential exploit Microsoft described today, email
recipients wouldn't even have to open booby-trapped attachments or the
email message. Simply receiving the message from the email server
would be enough to trigger the damage.

A component distributed with Microsoft's Internet Explorer browser and
common to both the Outlook email software and Outlook Express
productivity software suite is vulnerable to a buffer overflow
exploit.

Said to be the most common software bug of the past 10 years, the
buffer overflow problem lies in the way fields respond to long strings
of data.

In this instance, the date field of Outlook email is vulnerable to a
buffer overflow attack, in which a bogus and extremely long date can
cause the application to crash and send excess characters--potentially
malicious code--into memory, where they can be executed.

Microsoft said it is working on patches that will protect against the
vulnerability, with patches available for some versions of IE and the
Windows operating system but not for others.

Microsoft said anyone who has installed IE 5.01 Service Pack 1 or IE
5.5 is already protected against the exploit, unless the computer runs
Windows 2000. Windows 2000 users will need to install Windows 2000
Service Pack 1. Microsoft said patches for IE 4.01 Service Pack 2 and
IE 5.01 are in progress.

Another patch is under construction for computers running Outlook but
not Outlook Express.

Microsoft credited Buenos Aires-based security firm Underground
Security Systems Research (USSR) with discovering the bug. The
vulnerability was also the subject of an alert on the Bugtraq security
mailing list.

The buffer overflow bug comes in the wake of a lengthening string of
security embarrassments for Microsoft. Fresh from patching a handful
of bugs affecting its Excel, PowerPoint and Access software, the
company is still in the process of repairing several vulnerabilities
in its Internet Explorer browser and other applications.

These include a bug in IE that lets an attacker read files on a
victim's computer and a bug in Excel that lets an attacker take
control of a victim's computer while bypassing standard warnings.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".