-----BEGIN PGP SIGNED MESSAGE-----


Internet Security Systems Security Alert
July 19th, 2000

Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients

Synopsis:
On July 18th, details of a high-risk remote buffer overflow vulnerability
were made public.  This vulnerability has the potential to expose millions
of email users to malicious attack and compromise.  All current versions of
Microsoft Outlook and Microsoft Outlook Express are vulnerable.  


Impact:
This vulnerability is far more severe than the recent deluge of the ILOVEYOU
visual basic virus and its clones.  In the case of the ILOVEYOU virus, the
exploit payload was delivered when the user opened the included attachment.
This vulnerability does not include attachments and the exploit code may be
executed without the user's knowledge.  In some cases, the target machine
may already be compromised before the message is even read.

Detection of this new threat with conventional tools is very difficult.  To
make detection and filtering even more difficult, some conventional methods
prevent such attacks can easily be circumvented and are already being
discussed publicly.

Affected Versions:
Microsoft Outlook Express 4.0 
Microsoft Outlook Express 4.01 
Microsoft Outlook Express 5.0 
Microsoft Outlook Express 5.01 
Microsoft Outlook 97 
Microsoft Outlook 98 
Microsoft Outlook 2000 

Unaffected Users:
Microsoft Exchange mail systems using MAPI (Messaging API) are not affected.
Users are only exposed if they use the affected mail clients to retrieve
their email using the POP3 or the IMAP protocols.

Users who have installed Internet Explorer 5.01 Service Pack 1, and users who
have installed Internet Explorer 5.5 on any version of Windows other than
Windows 2000 are not at risk from this vulnerability.


Description:
The vulnerability is caused by a buffer overflow in the parsing of the
time zone in the 'Date' field for incoming email.  The exploit is delivered
by sending email messages containing the exploit payload.  If a long 'Date'
string is provided in the form of a carefully crafted exploit, this code can
be executed once the message is read, replied to, to or forwarded.  In some
cases, the message does not even have to be read for the code to be
executed.  This exploit is very dangerous because the entire process, from
delivery to execution is completely hidden from the user.  Sample exploit
code provided by researchers demonstrates the capability to remotely run and
install software without knowledge of the end user.  These types of exploits
are traditionally used by attackers to install backdoor programs to further
compromise of the affected host. 

All current versions of Microsoft Outlook and Microsoft Outlook Express are
vulnerable.  The details of the vulnerability are slightly different for the
two affected clients.  Microsoft Outlook Express exposes users to this
vulnerability if the tainted email is in an open folder, or even if the
message is previewed.  Outlook will only execute the exploit code if the
email is opened, replied to, or forwarded.  Outlook users will be able to
delete tainted emails without compromising their systems.  Outlook Express
users attempting to delete tainted emails will already be exposed.
Fix Information:

The following fix information has been provided by Microsoft (in Microsoft
Security Bulletin MS00-043):

The vulnerability can be eliminated by a default installation of 
either of the following upgrades: 
 - Internet Explorer 5.01 Service Pack 1, 
   <http://www.microsoft.com/Windows/ie/download/ie501sp1.htm> 
 - Internet Explorer 5.5 on any system except Windows 2000, 
   <http://www.microsoft.com/windows/ie/download/ie55.htm> 
Note: A non-default installation of IE 5.01 SP1 or IE 5.5 also will 
eliminate this vulnerability, as long as an installation  method is 
chosen that installs upgraded Outlook Express components. 
Note: When installed on a Windows 2000 machine, IE 5.5 does not 
install upgraded Outlook Express components, and therefore  does not 
eliminate the vulnerability. However, Windows 2000 Service Pack 1 
will install IE 5.5 and upgrade the Outlook  Express components at 
the same time. 
Note: Patches will be available shortly that will eliminate the 
vulnerability without requiring a full version upgrade. When  they 
are available, we will update this bulletin and re-release it. 

Recommendations:
Internet Security Systems RealSecure customers can use the following
procedure to detect and/or kill malicious email traveling over SMTP:

1. From the View menu, select 'Network Sensor Policies' or 'Network Engine
Policies', depending on the version of RealSecure you are using.

2. Select your policy, and then click 'Customize...'.

3. Click the 'User Defined Events' tab.

4. Click 'Add' on the right hand side of the dialog box.

5. Type in a name for the event, such as 'Outlook Date Overflow'.

6. In the 'Context' field, select 'Email_Content'.

7. In the 'String' field, type the following:

^Date: (.{50,50}|.*[^ -~]+)

8. You may want to configure RealSecure to kill the connection by editing
the 'Response' field to include the RSKILL action.

9. Click 'Save', and then click 'Close'.

10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
of RealSecure you are using.

RealSecure will now detect messages with a Date: field that is longer than
50 characters, or if it contains any non-printable characters (not between
ASCII 0x20 and 0x7E, space, or tilde).

It is possible for this signature to false positive if there is a line in
your e-mail that starts with "date: ", and at least 50 characters or any
non-printable characters or extended ASCII characters on the same line
after it.  If you have a high false positive rate, increase both numbers
in the regular expression from 50 to 70.

ISS' SAFEsuite intrusion detection system, RealSecure, will include new
attack signatures to detect this vulnerability in the next X-Press Update.
ISS' SAFEsuite network security assessment product, Internet Scanner, will
have checks available to detect this vulnerability in the next X-Press
Update.


Additional Information:

Microsoft has provided the following information in regards to this
vulnerability.  The Microsoft FAQ on the vulnerability is available at:   
   <http://www.microsoft.com/technet/security/bulletin/fq00-043.asp> 

Microsoft Knowledge Base article Q267884 will provide some information on
the vulnerability when it becomes available.

In addition, all queries for Microsoft related security information should
be directed at the Microsoft TechNet Security web site at:
   <http://www.microsoft.com/technet/security/default.asp>

______ 

About Internet Security Systems (ISS) 
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477. 

Copyright (c) 2000 Internet Security Systems, Inc. 

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission. 

Disclaimer 
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk. 

X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as well
as on MIT's PGP key server and PGP.com's key server. 

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
<mailto:xforce@iss.net> of Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOXXhXDRfJiV99eG9AQGA7QP/TznJLt0BdkuKE2DktxUB24rpHEDgcPEs
c/owtTm3iig3YpRDNnrT8/FZyZR9cghHh78PFoaTlG3c4UlMnNwIEdW53bVlabDd
BtqDbALMN58t9gtSxYV1fSSVrsPDobYIFKYJLtPg1hedSW9xVSZ5iQQJUadIYKPm
mSvDs6S9sJQ=
=HEeY
-----END PGP SIGNATURE-----