Digg this story   Add to del.icio.us  
Update: MS Battles Outlook Bug
Kevin Poulsen, SecurityFocus 2000-07-19

Upgrading Microsoft Explorer fixes a newly discovered hole in Outlook that threatens email-borne havoc.

Read the File

A newly discovered vulnerability in Microsoft's Outlook and Outlook Express programs leave thousands of computers open to attack from malicious email, and puts the lie to the conventional wisdom that you can't get a computer virus if you don't open attachments. Microsoft issued an advisory on the bug Wednesday morning, after a programmer announced it to the world over the Bugtraq mailing list Tuesday. In the advisory, Microsoft says Outlook users can eliminate the vulnerability by upgrading to Internet Explorer 5.01 Service Pack 1, or, Explorer 5.5. Either upgrade will patch the hole on Windows 95, 98 or NT. Windows 2000 users must install the Service Pack to close the hole. The bug is a classic "buffer overflow" error in the section of Outlook that parses the Date field of each incoming email. By padding the date with a long string of characters, an attacker can escape from the area of memory reserved for storing it, and into a section that executes instructions. From there, the attacker's email could secretly infect a victim computer with a "back door" program like Back Orifice, or instruct it to send the offending email back out to the net like the LoveLetter virus. The vulnerability doesn't require any attachment to the email; Outlook users need only read a message to be hit. Outlook Express users are even more vulnerable, and can fall prey to malicious code without reading the message, or even being at their computer when it comes in. "This has the potential to be the worst one we've seen yet," said Brian Martin, a senior security engineer at Maryland-based Digital Systems International Corporation. "If this can execute as soon as the mail is received, oh man, that's just perfect." MS Credits USSR Based on a hurried analysis Tuesday night, Martin said that the bug could likely be used to take control of vast numbers of machines at a time. "What if you had a mail list with thousands of people and you posted to that?," said Martin. "One well-placed email and you can probably infect thousands of people with a Back Orifice or a NetBus." Aaron Drew announced the bug to the Bugtraq mailing list on Tuesday, along with code that ostensibly demonstrates the hole. MSNBC reported that the hole was also discovered over a month ago by researchers at USSR Labs, which also boasts working exploit code. Both the news service and the security group kept it a secret while awaiting a Microsoft fix. The Microsoft advisory credits USSR Labs for reporting the bug to them, "and working with us to protect customers." Outlook's vulnerability to running malicious code without any user interaction raises the ominous threat that a virus writer might create a fast spreading worm that would spread in the style of Melissa or last May's "ILoveYou" virus, but without the need to trick people into running hostile attachments. Experts fear that many users -- perhaps most -- will invariably fail to close the hole and will thus remain open to attack. "Nobody downloads their security patches," said Dan Schrader, an anti-virus expert at Trend Micro Tuesday. "Which is unfortunate, because it's relatively simple to do." Martin warned that attackers won't be losing interest. "Between [USSR Labs] already having the code, and someone else posting follow up code to a public source, there are probably a dozen people working on their own version. And they're probably each figuring out the best ways to exploit this."

    Digg this story   Add to del.icio.us  
Comments Mode:
Microslow 2000-07-19
Anonymous
Still using outlook? 2000-07-19
Anonymous (2 replies)
Still using outlook? 2000-07-20
Anonymous (2 replies)
Still using outlook? 2000-07-20
Anonymous (3 replies)
Still using outlook? 2000-07-21
Anonymous
Still using outlook? 2000-07-23
Anonymous (3 replies)
Still using outlook? 2000-07-24
Anonymous
Still using outlook? 2000-07-25
Anonymous
Re: Still using outlook? 2005-09-08
Roach
Still using outlook? 2000-07-24
Anonymous
Still using outlook? 2000-07-24
Anonymous
Still using outlook? 2000-07-21
Anonymous
Shame to Microsoft 2000-07-19
Anonymous (1 replies)
Shame to Microsoft 2000-07-21
Anonymous
Micro?? 2000-07-19
Anonymous
Easy to use 2000-07-20
Anonymous
Server Filtering 2000-07-20
Eric Andry <eric (at) wincom (dot) net [email concealed]> (1 replies)
Server Filtering 2000-07-24
Anonymous
Is the cure worse than the problem? 2000-07-20
Anonymous (2 replies)
Is the cure worse than the problem? 2000-07-21
Anonymous (1 replies)
Is the cure worse than the problem? 2000-07-21
Eric Andry <eric (at) wincom (dot) net [email concealed]> (1 replies)
Is the cure worse than the problem? 2000-07-24
Anonymous (1 replies)
I guess a good solution for MS is... 2000-07-20
Anonymous (2 replies)
I guess a good solution for MS is... 2000-07-21
Anonymous (1 replies)
Its so easy to use! 2000-07-21
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus