-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Egon Verharen                               Index  :    S-98-49
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Microsoft Outlook Express/98 Overrun Vulnerability
                                                            Date   :  28-Jul-98
===============================================================================

By courtesy of AUSCERT we received information on a vulnerability in Microsoft
Outlook 98 and Outlook Express.

CERT-NL STRONGLY recommends to install the patches described IMMEDIATELY.

This is a SERIOUS vulnerability that not only concerns Microsoft Outlook
(Express and 98) on several operating systems and platforms, but also NetScape
Messenger (Mail) (part of Communicator 4.05 and Communicator 4.5b) both on
Windows (95, 98, NT), Macintosh and Solaris platforms.

At this time only Microsoft has provided a security bulletin and patches for this
problem. Netscape issued a statement that the vulnerabilities will be dealt with
in the forthcoming official release of Communicator 4.06, due out around August
7. As soon as an other fix for the Netscape vulnerability comes available (or
another security advisory on this topic) we will forward that as soon as
possible, of course.

A similar security advisory about this vulnerability is also issued by CIAC: no.
I-077a titled "MIME Name Vulnerability in Outlook and Messenger" (
http://www.ciac.org/ciac/bulletins/i-077a.shtml ).

Both advisories describe the steps to be taken to overcome this vulnerability.


In addition to the information in the Microsoft Security bulletin
( http://www.microsoft.com/security/bulletins/ms98-008.htm ) on requiring the
patches, Microsoft also announced that it has made the Outlook Express buffer
overrun patch available via Windows Update in addition to the other methods
available. Windows 98 users are able to update their Outlook Express by clicking
on the Windows Update icon in their start menu.

Finally, the fixes are also available on Microsoft's European Web site:
http://www.eu.microsoft.com/ie/security/?/ie/security/oelong.htm

===========================================================================
AA-98.02                        AUSCERT Advisory
                      Microsoft Outlook Overrun Vulnerability
                                  28 July 1998

Last Revised: --

- - ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the
Microsoft Outlook 98 and Microsoft Outlook Express products available on
various operating systems and platforms including Windows '95, Windows
'98, Windows NT, Solaris and Macintosh.

This vulnerability may allow attackers to execute arbitrary commands on the
vulnerable systems.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- - ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in
    Microsoft Outlook 98 and Microsoft Outlook Express products available
    on various operating systems and platforms including Windows '95,
    Windows '98, Windows NT, Solaris and Macintosh.

    Due to insufficient checking while processing MIME name tags supplied
    in an email message (such as file attachments with long names) a buffer
    overrun in Microsoft Outlook 98 or Microsoft Outlook Express may occur.
    This vulnerability may be exploited to force those programs to execute
    arbitrary commands with the privileges of the user running the program.

    AUSCERT is unaware of any incidents in which this vulnerability has
    been exploited.  However, AUSCERT agrees with the assessment of this
    vulnerability by CIAC who state "the ease with which it can be
    exploited, the wide distribution of vulnerable readers, and the
    potential for damage makes it a very serious problem."

    This vulnerability can be exploited when a user is attempting to
    download, open or launch a file attachment.  Note that the problem is
    exploitable by embedding exploit code in attachment identifiers, rather
    than the attachment contents.

    As the attack occurs via an email message it is unlikely to be stopped
    or detected by current firewalls and anti-virus products.

    Information regarding which versions of Microsoft Outlook 98 and
    Microsoft Outlook Express are vulnerable can be found in Section 3.

2.  Impact

    The exploit allows an attacker to execute arbitrary commands on the
    victim machine with the privileges of the victim user.

3.  Workarounds/Solution

    Microsoft have issued a Security Bulletin (MS98-008) describing this
    vulnerability.  This bulletin lists all versions of Microsoft Outlook
    98 and Microsoft Outlook Express which are known to be affected and
    includes patch/workaround information.  It is available from:

        http://www.microsoft.com/security/bulletins/ms98-008.htm

    AUSCERT encourages sites to install the patches recommended above as
    soon as possible.

- - ---------------------------------------------------------------------------
AUSCERT thanks Ari Takanen and Marko Laakso of the Finnish Oulu University Secure
Programming Group for drawing this problem and its solution to our attention.  We
acknowledge the COAST team and Russ Cooper of NTBugtraq for their assistance in
its resolution. - -
---------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is
the Dutch network for educational, research and related institutes. CERT-NL is a
member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.

==============================================================================
-----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5

iQCVAwUBNb4nklpSTqmIRWKVAQFklAP/edptWdalEflwN3wTSiblSLzwIp9/FdAA
I0so33cLTlwHNv/jDtivPo5OxaqaQdqG+eefPFvTH6/9ovgI0Z5IOzu06ubFQY/j
swdd+i/vk6jExbA31vVajoAwU2p/1ZrnwYrblwTrwM1Fdip4iBmtYARaI+4ocANz
APRwN7Bxfh0=
=bNxl
-----END PGP SIGNATURE-----