exploit the possibilities


Posted Jul 20, 2000
Site xforce.iss.net

Internet Security Systems Security Alert July 19, 2000. On July 18th, details of a high-risk remote buffer overflow vulnerability in Microsoft Outlook and Outlook Express were made public. This vulnerability has the potential to expose millions of email users to malicious attack and compromise. All current versions of Microsoft Outlook and Microsoft Outlook Express are vulnerable.

tags | remote, overflow
MD5 | 8e91971e826a01306ad6bbedadb30844


Change Mirror Download

Internet Security Systems Security Alert
July 19th, 2000

Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients

On July 18th, details of a high-risk remote buffer overflow vulnerability
were made public. This vulnerability has the potential to expose millions
of email users to malicious attack and compromise. All current versions of
Microsoft Outlook and Microsoft Outlook Express are vulnerable.

This vulnerability is far more severe than the recent deluge of the ILOVEYOU
visual basic virus and its clones. In the case of the ILOVEYOU virus, the
exploit payload was delivered when the user opened the included attachment.
This vulnerability does not include attachments and the exploit code may be
executed without the user's knowledge. In some cases, the target machine
may already be compromised before the message is even read.

Detection of this new threat with conventional tools is very difficult. To
make detection and filtering even more difficult, some conventional methods
prevent such attacks can easily be circumvented and are already being
discussed publicly.

Affected Versions:
Microsoft Outlook Express 4.0
Microsoft Outlook Express 4.01
Microsoft Outlook Express 5.0
Microsoft Outlook Express 5.01
Microsoft Outlook 97
Microsoft Outlook 98
Microsoft Outlook 2000

Unaffected Users:
Microsoft Exchange mail systems using MAPI (Messaging API) are not affected.
Users are only exposed if they use the affected mail clients to retrieve
their email using the POP3 or the IMAP protocols.

Users who have installed Internet Explorer 5.01 Service Pack 1, and users who
have installed Internet Explorer 5.5 on any version of Windows other than
Windows 2000 are not at risk from this vulnerability.

The vulnerability is caused by a buffer overflow in the parsing of the
time zone in the 'Date' field for incoming email. The exploit is delivered
by sending email messages containing the exploit payload. If a long 'Date'
string is provided in the form of a carefully crafted exploit, this code can
be executed once the message is read, replied to, to or forwarded. In some
cases, the message does not even have to be read for the code to be
executed. This exploit is very dangerous because the entire process, from
delivery to execution is completely hidden from the user. Sample exploit
code provided by researchers demonstrates the capability to remotely run and
install software without knowledge of the end user. These types of exploits
are traditionally used by attackers to install backdoor programs to further
compromise of the affected host.

All current versions of Microsoft Outlook and Microsoft Outlook Express are
vulnerable. The details of the vulnerability are slightly different for the
two affected clients. Microsoft Outlook Express exposes users to this
vulnerability if the tainted email is in an open folder, or even if the
message is previewed. Outlook will only execute the exploit code if the
email is opened, replied to, or forwarded. Outlook users will be able to
delete tainted emails without compromising their systems. Outlook Express
users attempting to delete tainted emails will already be exposed.
Fix Information:

The following fix information has been provided by Microsoft (in Microsoft
Security Bulletin MS00-043):

The vulnerability can be eliminated by a default installation of
either of the following upgrades:
- Internet Explorer 5.01 Service Pack 1,
- Internet Explorer 5.5 on any system except Windows 2000,
Note: A non-default installation of IE 5.01 SP1 or IE 5.5 also will
eliminate this vulnerability, as long as an installation method is
chosen that installs upgraded Outlook Express components.
Note: When installed on a Windows 2000 machine, IE 5.5 does not
install upgraded Outlook Express components, and therefore does not
eliminate the vulnerability. However, Windows 2000 Service Pack 1
will install IE 5.5 and upgrade the Outlook Express components at
the same time.
Note: Patches will be available shortly that will eliminate the
vulnerability without requiring a full version upgrade. When they
are available, we will update this bulletin and re-release it.

Internet Security Systems RealSecure customers can use the following
procedure to detect and/or kill malicious email traveling over SMTP:

1. From the View menu, select 'Network Sensor Policies' or 'Network Engine
Policies', depending on the version of RealSecure you are using.

2. Select your policy, and then click 'Customize...'.

3. Click the 'User Defined Events' tab.

4. Click 'Add' on the right hand side of the dialog box.

5. Type in a name for the event, such as 'Outlook Date Overflow'.

6. In the 'Context' field, select 'Email_Content'.

7. In the 'String' field, type the following:

^Date: (.{50,50}|.*[^ -~]+)

8. You may want to configure RealSecure to kill the connection by editing
the 'Response' field to include the RSKILL action.

9. Click 'Save', and then click 'Close'.

10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
of RealSecure you are using.

RealSecure will now detect messages with a Date: field that is longer than
50 characters, or if it contains any non-printable characters (not between
ASCII 0x20 and 0x7E, space, or tilde).

It is possible for this signature to false positive if there is a line in
your e-mail that starts with "date: ", and at least 50 characters or any
non-printable characters or extended ASCII characters on the same line
after it. If you have a high false positive rate, increase both numbers
in the regular expression from 50 to 70.

ISS' SAFEsuite intrusion detection system, RealSecure, will include new
attack signatures to detect this vulnerability in the next X-Press Update.
ISS' SAFEsuite network security assessment product, Internet Scanner, will
have checks available to detect this vulnerability in the next X-Press

Additional Information:

Microsoft has provided the following information in regards to this
vulnerability. The Microsoft FAQ on the vulnerability is available at:

Microsoft Knowledge Base article Q267884 will provide some information on
the vulnerability when it becomes available.

In addition, all queries for Microsoft related security information should
be directed at the Microsoft TechNet Security web site at:


About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
<mailto:xforce@iss.net> of Internet Security Systems, Inc.

Version: 2.6.3a
Charset: noconv



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    7 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By