---------- Forwarded message ---------- Date: Mon, 27 Jul 1998 09:22:22 -0700 From: Microsoft Product Security Response Team <secureat_private> To: MICROSOFT_SECURITYat_private Subject: Microsoft Security Bulletin (MS98-008) Microsoft Security Bulletin (MS98-008) -------------------------------------- Update Available For Long Filename Security Issue affecting Microsoft Outlook 98 and Microsoft Outlook Express 4.x Last Revision: July 27, 1998 Summary ======= Recently Microsoft was notified by AUSCERT (http://www.auscert.org.au), OUSPG (http://www.oulu.fi) and NTBugtraq (http://ntbugtraq.ntadvice.com) of a security issue affecting the way Microsoft email clients handle file attachments with extremely long file names. When a user attempts to download, open or launch a file attachment that has a name greater than a certain number of characters, the action might cause the client to shut down unexpectedly. Once the client has crashed, a skilled hacker could possibly run arbitrary code in the computer's memory. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== This issue can cause one of the following to occur when attempting to download, launch or view a file attachment in Microsoft Outlook 98 or Microsoft Outlook Express that has a name that is greater than a certain number of characters: 1. An error message similar to the following may be displayed: This program has performed an illegal operation and will be shut down. If the problem persists, contact the program vendor. 2. Outlook 98 or Outlook Express may terminate unexpectedly. It is difficult but possible for an individual to cause malicious code to be executed on your computer as a result of this problem. There have not been any reports of customers being affected by this problem. Specific Details ================ Outlook 98 ---------- When Outlook 98 attempts to download a message with a file attachment that has a filename greater than a certain length, Outlook could terminate unexpectedly. The user does not have to open the attachment in order for this to occur. This issue will only occur if Outlook 98 is installed with an Internet Mail Only configuration, or with an Internet Mail service in the Corporate/Workgroup configuration. When the user attempts to open an attachment in the Outlook 98 newsreader and the attachment has a filename longer than a certain number of characters, the client could crash. (see Workaround for the newsreader below) Outlook Express --------------- When the user attempts to open an attachment in Outlook Express mail or news client and the attachment has a filename longer than a certain number of characters, the client could terminate unexpectedly. (see Workaround below) Affected Software Versions ========================== * Outlook 98 on Windows '95, Windows '98 and Windows NT, when configured for Internet Mail Only OR Corporate/Workgroup support with an Internet Mail service. Outlook 97 and Outlook for Macintosh, Microsoft Exchange Server Edition are not affected by this issue. * Outlook Express included with Internet Explorer 4.0, 4.01 & 4.01 with Service Pack 1 on Windows '95, Windows '98 and Windows NT * Outlook Express included with Internet Explorer 4.01 on Solaris. * Outlook Express included with Internet Explorer 4.01 on the Macintosh. * Outlook Express 4.01 for Windows 3.1 is not affected by this issue. What Microsoft is Doing ======================= Microsoft has posted an update that protects customers against a potential problem involving file attachments with extremely long names. To get the update for Microsoft Outlook 98 for Windows '95, Windows '98 & Windows NT, see http://support.microsoft.com/support/msfe. 1. On the Microsoft File Exchange page, click "Click Here to Receive a file from a Microsoft Technical Support engineer via your web browser." 2. On the "Receiving Files From MFSE" page, type OLMIME in the box, and click Continue 3. The name of the file is outpatch.exe This patch will work for all language versions of Microsoft Outlook 98. If you use the Outlook 98 newsreader, you must also install the update for Outlook Express noted below. Microsoft Outlook Express 4.0 users ----------------------------------- If you are using Outlook Express 4.0 that comes with Internet Explorer 4.0, you must upgrade to Internet Explorer 4.01 in order to apply this update. You can upgrade to Internet Explorer 4.01 with Service Pack 1 at the following location: http://www.Microsoft.com/ie To get the update for Microsoft Outlook Express 4.01 for Windows '95, Windows '98 & Windows NT, see http://www.microsoft.com/ie/security/oelong.htm The update for Microsoft Outlook Express 4.01 for the Macintosh & Solaris will be released shortly, please visit http://www.Microsoft.com/security for updated information. What customers should do ======================== Microsoft recommends that customers using Internet Explorer 4.0 immediately upgrade to Internet Explorer 4.01 and then apply the update. Customers using Outlook '98 & Internet Explorer 4.01 can directly apply the appropriate update. Administrative workaround ========================= Customers who cannot apply the hot fix to Outlook Express can use the following workaround to temporarily address this issue: For Outlook Express ------------------- Customers who get attachments in e-mail should NOT click on the attachment. They should save the attachment to their hard drive and then view the attachment using the Windows Explorer. To save the attachment the user should: 1. Select Save Attachment from the File Menu. 2. Choose the attachment name from the pop up menu and save to a hard drive. 3. Bring up the Windows Explorer and view the attachment on the hard drive. More Information ================ Please see the following references for more information related to this issue. * Microsoft Security Bulletin 98-008, Update Available For Long Filename Security Issue affecting Microsoft Outlook 98 & Microsoft Outlook Express 4.x (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-008.htm * Microsoft Internet Explorer Security Web Site, http://www.microsoft.com/ie/security Revisions ========= July 27, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:22 PDT