-----Original Message----- From: Windows NT BugTraq Mailing List [mailto:NTBUGTRAQat_private] On Behalf Of Russ Sent: Monday, July 27, 1998 5:55 PM To: NTBUGTRAQat_private Subject: Alert: Arbitrary code execution via email or news A buffer overrun has been detected in Outlook Express (v4.72.2106.4 & v4.72.3110.1), and Netscape Mail (v4.05 & 4.5b1). So far only the Macintosh versions have proven unaffected. Ari Takanen and Marko Laakso of the Finnish Oulu University Secure Programming Group <http://www.ee.oulu.fi/groups/ouspg> discovered it back in late June. They have been working closely with AUSCERT and the vendors. CIAC, and COAST/CERIAS (via Gene Spafford) have also been involved. NTBugtraq was brought in quietly to help facilitate communications back on July 3rd, and using its contacts and discretion, has helped to facilitate speedy fixes and involvement of the appropriate groups. The exploit method is slightly different in the two different products (MS versus NS), but it centers around the malicious use of tags used to identify an attachment. The attachment itself is not relevant, its contents need not contain any exploit. The tags that identify the attachment contain the exploit code. Therefore, the exploit code can be invoked without actually opening the attachment itself (and in at least one test scenario, without even opening the message!). The exploit has been demonstrated in email and news, and has been confirmed by both Microsoft and Netscape. COAST has suggested that Eudora is thus far unaffected by the same problem. There are too many possible avenues of exploit to document here, and many have not yet been tested. Attachment type does not appear to matter, so it could as easily be done with a .txt file as a .gif, or .doc, or .zip. Thus far there is no demonstration exploit available in the wild, thank god, but its likely that such a program will appear. As long as affected versions of the exploitable software continue to exist (and there is enough of them around to say they'll likely exist for a long time, like the version shipped with Windows '98), the chances of a new Internet Worm loom over our heads. Meanwhile, look for an MS Security Bulletin shortly (its due to be released at 9:00am PST) indicating the location of a fix. Netscape have said that the fix for Netscape Mail will be included in their v4.06 release, due out around August 7th. They indicated they may put something up on their website about this today. The exploit does work on Windows NT, as well as Windows '95/'98, and with Outlook Express on Solaris 2.x. Microsoft indicated they found an issue with Outlook '98 also, look for details of this in their bulletin. I have written a very long editorial of the issue and will post it to the NTBugtraq website later today. For now, hold off on asking questions until after the MS Bulletin is released. Cheers, Russ
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:17 PDT