, SecurityFocus 2000-07-18
A massive hole in Microsoft's ubiquitous mail program could lead to email-borne havoc.
There are probably a dozen people each figuring out the best ways to exploit this.
The bug, which is known to affect Windows 95, 98 and NT, is a classic "buffer overflow" error in the section of Outlook that parses the Date field of each incoming email. By padding the date with a long string of characters, an attacker can escape from the area of memory reserved for storing it, and into a section that executes instructions. From there, the attacker's email could secretly infect a victim computer with a "back door" program like Back Orifice, or instruct it to send the offending email back out to the net like the LoveLetter virus.
The vulnerability doesn't require any attachment to the email; Outlook users need only read a message to be hit. Outlook Express users are even more vulnerable, and can fall prey to malicious code without reading the message, or even being at their computer when it comes in.
"This has the potential to be the worst one we've seen yet," said Brian Martin, a senior security engineer at Maryland-based Digital Systems International Corporation. "If this can execute as soon as the mail is received, oh man, that's just perfect."
Based on a hurried analysis, Martin said that the bug could likely be used to launch massive attacks on vast numbers of machines at a time. "What if you had a mail list with thousands of people and you posted to that?," said Martin. "One well-placed email and you can probably infect thousands of people with a Back Orifice or a NetBus."
Aaron Drew discovered the vulnerability, and posted the details to the Bugtraq mailing list on Tuesday, along with code that ostensibly demonstrates the bug. MSNBC reports that the hole was also discovered over a month ago by researchers at USSR Labs, which also boasts working exploit code. Both the news service and the security group kept it a secret while awaiting a Microsoft fix.
As of Tuesday evening, Microsoft had not yet issued a patch, and the company's PR firm could not be reached for comment. Email to Microsoft's security team went unanswered.
Outlook's vulnerability to running malicious code without any user interaction raises the ominous threat that a virus writer might create a fast spreading worm that would spread in the style of Melissa or last May's "ILoveYou" virus, but without the need to trick people into running hostile attachments. While it's expected that Microsoft will release a patch for the bug soon, many users -- perhaps most -- will invariably fail to install it and will thus remain open to attack. "Nobody downloads their security patches," says Dan Schrader, an anti-virus expert at Trend Micro. "Which is unfortunate, because it's relatively simple to do."
Martin agrees, estimating that as few as 25% of users download security patches regularly. He blames that trend on the lag time between press coverage of a vulnerability and the release of a patch to fix it -- days or weeks in which busy people forget their initial alarm. But, he warns, attackers won't be losing interest. "Between [USSR Labs] already having the code, and someone else posting follow up code to a public source, there are probably a dozen people working on their own version. And they're probably each figuring out the best ways to exploit this," Martin says.
"It seems like a very serious vulnerability," says Martin. "One that's going to come close to ILoveYou."