From xforce@iss.net Sun Jul 23 00:13:27 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 19 Jul 2000 16:27:35 -0400 Subject: ISSalert: ISS Security Alert: Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert July 19th, 2000 Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients Synopsis: On July 18th, details of a high-risk remote buffer overflow vulnerability were made public. This vulnerability has the potential to expose millions of email users to malicious attack and compromise. All current versions of Microsoft Outlook and Microsoft Outlook Express are vulnerable. Impact: This vulnerability is far more severe than the recent deluge of the ILOVEYOU visual basic virus and its clones. In the case of the ILOVEYOU virus, the exploit payload was delivered when the user opened the included attachment. This vulnerability does not include attachments and the exploit code may be executed without the user's knowledge. In some cases, the target machine may already be compromised before the message is even read. Detection of this new threat with conventional tools is very difficult. To make detection and filtering even more difficult, some conventional methods prevent such attacks can easily be circumvented and are already being discussed publicly. Affected Versions: Microsoft Outlook Express 4.0 Microsoft Outlook Express 4.01 Microsoft Outlook Express 5.0 Microsoft Outlook Express 5.01 Microsoft Outlook 97 Microsoft Outlook 98 Microsoft Outlook 2000 Unaffected Users: Microsoft Exchange mail systems using MAPI (Messaging API) are not affected. Users are only exposed if they use the affected mail clients to retrieve their email using the POP3 or the IMAP protocols. Users who have installed Internet Explorer 5.01 Service Pack 1, and users who have installed Internet Explorer 5.5 on any version of Windows other than Windows 2000 are not at risk from this vulnerability. Description: The vulnerability is caused by a buffer overflow in the parsing of the time zone in the 'Date' field for incoming email. The exploit is delivered by sending email messages containing the exploit payload. If a long 'Date' string is provided in the form of a carefully crafted exploit, this code can be executed once the message is read, replied to, to or forwarded. In some cases, the message does not even have to be read for the code to be executed. This exploit is very dangerous because the entire process, from delivery to execution is completely hidden from the user. Sample exploit code provided by researchers demonstrates the capability to remotely run and install software without knowledge of the end user. These types of exploits are traditionally used by attackers to install backdoor programs to further compromise of the affected host. All current versions of Microsoft Outlook and Microsoft Outlook Express are vulnerable. The details of the vulnerability are slightly different for the two affected clients. Microsoft Outlook Express exposes users to this vulnerability if the tainted email is in an open folder, or even if the message is previewed. Outlook will only execute the exploit code if the email is opened, replied to, or forwarded. Outlook users will be able to delete tainted emails without compromising their systems. Outlook Express users attempting to delete tainted emails will already be exposed. Fix Information: The following fix information has been provided by Microsoft (in Microsoft Security Bulletin MS00-043): The vulnerability can be eliminated by a default installation of either of the following upgrades: - Internet Explorer 5.01 Service Pack 1, - Internet Explorer 5.5 on any system except Windows 2000, Note: A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components. Note: When installed on a Windows 2000 machine, IE 5.5 does not install upgraded Outlook Express components, and therefore does not eliminate the vulnerability. However, Windows 2000 Service Pack 1 will install IE 5.5 and upgrade the Outlook Express components at the same time. Note: Patches will be available shortly that will eliminate the vulnerability without requiring a full version upgrade. When they are available, we will update this bulletin and re-release it. Recommendations: Internet Security Systems RealSecure customers can use the following procedure to detect and/or kill malicious email traveling over SMTP: 1. From the View menu, select 'Network Sensor Policies' or 'Network Engine Policies', depending on the version of RealSecure you are using. 2. Select your policy, and then click 'Customize...'. 3. Click the 'User Defined Events' tab. 4. Click 'Add' on the right hand side of the dialog box. 5. Type in a name for the event, such as 'Outlook Date Overflow'. 6. In the 'Context' field, select 'Email_Content'. 7. In the 'String' field, type the following: ^Date: (.{50,50}|.*[^ -~]+) 8. You may want to configure RealSecure to kill the connection by editing the 'Response' field to include the RSKILL action. 9. Click 'Save', and then click 'Close'. 10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of RealSecure you are using. RealSecure will now detect messages with a Date: field that is longer than 50 characters, or if it contains any non-printable characters (not between ASCII 0x20 and 0x7E, space, or tilde). It is possible for this signature to false positive if there is a line in your e-mail that starts with "date: ", and at least 50 characters or any non-printable characters or extended ASCII characters on the same line after it. If you have a high false positive rate, increase both numbers in the regular expression from 50 to 70. ISS' SAFEsuite intrusion detection system, RealSecure, will include new attack signatures to detect this vulnerability in the next X-Press Update. ISS' SAFEsuite network security assessment product, Internet Scanner, will have checks available to detect this vulnerability in the next X-Press Update. Additional Information: Microsoft has provided the following information in regards to this vulnerability. The Microsoft FAQ on the vulnerability is available at: Microsoft Knowledge Base article Q267884 will provide some information on the vulnerability when it becomes available. In addition, all queries for Microsoft related security information should be directed at the Microsoft TechNet Security web site at: ______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOXXhXDRfJiV99eG9AQGA7QP/TznJLt0BdkuKE2DktxUB24rpHEDgcPEs c/owtTm3iig3YpRDNnrT8/FZyZR9cghHh78PFoaTlG3c4UlMnNwIEdW53bVlabDd BtqDbALMN58t9gtSxYV1fSSVrsPDobYIFKYJLtPg1hedSW9xVSZ5iQQJUadIYKPm mSvDs6S9sJQ= =HEeY -----END PGP SIGNATURE-----