-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Outlook Express S/MIME Parsing 
            Could Enable System Compromise (Q328676)
Date:       10 October 2002
Software:   Outlook Express
Impact:     Run code of attacker's choice. 
Max Risk:   Critical 
Bulletin:   MS02-058

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-058.asp.
- ----------------------------------------------------------------------

Issue:
======
To allow for verification of the authenticity of mail messages,
Microsoft Outlook Express supports digital signing of 
messages through S/MIME. A buffer overrun vulnerability lies in the
code that generates the warning message when a particular 
error condition associated with digital signatures occurs. 

By creating a digitally signed email and editing it to introduce
specific data, then sending it to another user, an attacker 
could cause either of two effects to occur if the recipient opened or
previewed it. In the less serious case, the attacker 
could cause the mail client to fail. If this happened, the recipient
could resume normal operation by restarting the mail 
client and deleting the offending mail. In the more serious case, the
attacker could cause the mail client to run code of 
their choice on the user's machine. Such code could take any desired
action, limited only by the permissions of the recipient 
on the machine. 

This vulnerability could only affect messages that are signed using
S/MIME and sent to an Outlook Express user. Users of 
Microsoft Outlook products are not affected by this vulnerability.

Mitigating Factors:
====================
 - Microsoft Outlook is not affected by this vulnerability. 
 - Outlook Express runs in the context of the user. Exploiting this
   vulnerability would in the worst case scenario allow an attacker
   to run arbitrary code in the context of the users' privileges 
   only. Any restrictions on the users' account would apply to 
   the attackers code.

Risk Rating:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-058.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Noam Rathaus of Beyond Security Ltd.
(http://www.beyondsecurity.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPaW7TI0ZSRQxA/UrAQFi0Af/eL4Fozaqs5tzr8NX7ssq3Ywm0Uu207Ty
porTd5O0F2biSp1K2cl2rMwPUOeafFe3Ei95FSsA8HGmxfA3IEpak34mTIgZQ9FE
mEGyEiu6BNc0UEgn25HL3wHN15aOf4pJnr2MggCs8tpSyhY9w5jTWwgAne870T9h
GGp0xJXxZN5LXdz2rgdQC8OpiFXs/wb221VNtg8T6emXCfOqIp7RhHowHxTEqcp6
Ypot7OarDpaL+fGDrB5xEMMd/tag2z8CiZaNhRqZC0l93UpFvhK6oOfjhmtwhiz1
v6QkFAa8Gg31/Kf3XTyi808FC8qPvK9NjHvrDbJD5URo/N6RLE7CgQ==
=5pFL
-----END PGP SIGNATURE-----