---

VNU Net: Outlook contains ‘gaping’ security hole

By John Leyden, VNU Net

Microsoft has warned that Outlook and Outlook Express users
could become infected by email viruses before they open or preview
infected messages.

The vulnerability is particularly serious because an infection
can take place at the point when the email is being downloaded from
the server, rather than when an infected email is opened – the
method used in the spread of some of the most deadly viruses yet,
including the LoveLetter virus.

All Outlook users on Windows 2000 are affected, as are users of
Outlook Express bundled with Internet Explorer (IE). Microsoft
recommends that users upgrade to either IE 5.01 service pack 1 or
IE 5.5 in order to protect themselves against the vulnerability. It
is also working on patches to Outlook and Outlook Express that do
not involve a full version upgrade.

In a security notice, Microsoft admitted that Outlook is
vulnerable to buffer overflows which could be exploited to allow an
attacker to cause an email client to either crash or run malicious
code.

“Such code could take any action that the user was authorised to
take on the machine, including reformatting the hard drive,
communicating with an external website, or changing data on the
computer,” said Microsoft.

The cause of the problem is that a component shared by Outlook
and Outlook Express contains an unchecked buffer that parses email
headers when downloading mail via either POP3 or IMAP4. A bogus and
extremely long date field can cause an Outlook email client to
crash and send excess data, which could be malicious code, into
portions of memory where it might then be executed.

“The danger in this vulnerability is that the buffer overrun
would occur even if the user does not open or preview the email
message,” according to Argentinian security firm Underground
Security Systems Research, which discovered the vulnerability.

“The new generation of virus is here. By sending a malformed
email you can run arbitrary code on a remote machine,” the company
added.

Jack Clark, European product manager for Network Associates,
said: “This looks like a gaping hole in Microsoft’s security, but
it is not yet connected with threats you can’t deal with using
antivirus software.”

Neil Barrett, technical director of Information Risk Management,
said: “If the core component of Outlook, an established and
frequently updated Microsoft product, is subject to buffer
overflows, we can only expect a lot more buffer overflows to
come.”

Despite the fact that Windows 2000 users will need to wait for
the forthcoming Service Pack 1 to be protected from the problem,
Microsoft is seeking to reassure its users. On other platforms a
default installation of either IE 5.01 Service Pack 1 or IE 5.5
would protect users from the problem.

Microsoft also pointed out that the problem does not affect the
Messaging Application Programming Interface protocol, used by
default when Outlook is used with Microsoft Exchange Server.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis