Update: MS Battles Outlook Bug
Upgrading Microsoft Explorer fixes a newly discovered hole in Outlook that threatens email-borne havoc.
There are probably a dozen people each figuring out the best ways to exploit this.
A newly discovered vulnerability in Microsoft's Outlook and Outlook Express programs leave thousands of computers open to attack from malicious email, and puts the lie to the conventional wisdom that you can't get a computer virus if you don't open attachments.
Microsoft issued an advisory on the bug Wednesday morning, after a programmer announced it to the world over the Bugtraq mailing list Tuesday. In the advisory, Microsoft says Outlook users can eliminate the vulnerability by upgrading to Internet Explorer 5.01 Service Pack 1, or, Explorer 5.5. Either upgrade will patch the hole on Windows 95, 98 or NT. Windows 2000 users must install the Service Pack to close the hole.
The bug is a classic "buffer overflow" error in the section of Outlook that parses the Date field of each incoming email. By padding the date with a long string of characters, an attacker can escape from the area of memory reserved for storing it, and into a section that executes instructions. From there, the attacker's email could secretly infect a victim computer with a "back door" program like Back Orifice, or instruct it to send the offending email back out to the net like the LoveLetter virus.
The vulnerability doesn't require any attachment to the email; Outlook users need only read a message to be hit. Outlook Express users are even more vulnerable, and can fall prey to malicious code without reading the message, or even being at their computer when it comes in.
"This has the potential to be the worst one we've seen yet," said Brian Martin, a senior security engineer at Maryland-based Digital Systems International Corporation. "If this can execute as soon as the mail is received, oh man, that's just perfect."
MS Credits USSR
Based on a hurried analysis Tuesday night, Martin said that the bug could likely be used to take control of vast numbers of machines at a time. "What if you had a mail list with thousands of people and you posted to that?," said Martin. "One well-placed email and you can probably infect thousands of people with a Back Orifice or a NetBus."
Aaron Drew announced the bug to the Bugtraq mailing list on Tuesday, along with code that ostensibly demonstrates the hole. MSNBC reported that the hole was also discovered over a month ago by researchers at USSR Labs, which also boasts working exploit code. Both the news service and the security group kept it a secret while awaiting a Microsoft fix. The Microsoft advisory credits USSR Labs for reporting the bug to them, "and working with us to protect customers."
Outlook's vulnerability to running malicious code without any user interaction raises the ominous threat that a virus writer might create a fast spreading worm that would spread in the style of Melissa or last May's "ILoveYou" virus, but without the need to trick people into running hostile attachments. Experts fear that many users -- perhaps most -- will invariably fail to close the hole and will thus remain open to attack. "Nobody downloads their security patches," said Dan Schrader, an anti-virus expert at Trend Micro Tuesday. "Which is unfortunate, because it's relatively simple to do."
Martin warned that attackers won't be losing interest. "Between [USSR Labs] already having the code, and someone else posting follow up code to a public source, there are probably a dozen people working on their own version. And they're probably each figuring out the best ways to exploit this."