-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- OVERVIEW --- A small "Denial of Service" kind of bug showed up in Outlook Express. - --- AFFECTED VERSIONS --- - - From our tests: Outlook Express, any version between 5 and 6, with all patches applied, is vulnerable; however the bug seems not to lead to a total crash on certain configurations. We are still trying to figure out exactly why, so if you would like to contribute you could send us a short e-mail with your version of Outlook Express, Internet Explorer patches you applied, the OS and the patch level on it, and what behaviour did you observe (crash, slowdown or even nothing). If you would like, a list of other common apps you have installed which could interact with OE. Thanks. Microsoft has acknowledged this bug months ago. Then we pretty much forgot about this :P - --- DESCRIPTION OF BEHAVIOUR --- I have detected a small bug which can be exploited to crash Outlook Express, version 5, 5.5 and 6 seem to be equally affected. SP1 and 2 where available do not correct this behaviour. The problem shows up when decoding an HTML e-mail with an <A HREF> link longer than 4095 characters. Outlook Express crashes altogether for overflow. This overflow seems not exploitable, but you are quite welcome to elaborate :-) The behaviour has been reproduced on Windows 98, ME, and 2000. I can add that a similarly long HREF has also strange, curious effects on Internet Explorer, but not so dramatically evident and reproducible. As I said before, some systems seem not vulnerable. The reason is a mistery. - --- "EXPLOIT" --- It's not difficult to exploit this vuln. Please find enclosed a simple e-mail which should crash the mailer. Let me know if this does not happen on international versions, or with strange patches applied. - ---- SOLUTIONS --- Microsoft was contacted on 05/02/2002 (I told you this was an old one!), and after a week they concluded the following: "This is a known issue and scheduled to be fixed in SP1 of IE6 and any other hotfix supported version of IE." However, no "hotfixes" have been released for this vulnerability in particular, and no IE6 SP1 has been released (that I know - I do not use IE6); but I have seen a IE6 SP1 "beta" version - if someone had the courage to install it, could please report if this bug is still there ? For everybody else, the only solutions are: 1) Filtering all HTML mail to /dev/null or equivalent on your mail server (been there, done that, and I live happy) 2) Change your mailer with something less prone to such misbehaviour (possibly, open source, so you can patch it yourself just in case) 3) Wait and hope for an hotfix and/or SP to be released - --- CONCLUSIONS --- This small bug does not pose any real security risk (unless there's some other way to exploit it which nor me, nor Microsoft could think of ;-). However, IMHO, it's pretty strange that a small patch for this kind of bug could not be produced independently. Perhaps the randomness with which the bug seems to show up has something to do with this ? Stefano "Raistlin" Zanero System Administrator Gioco.Net public PGP key block at http://gioco.net/pgpkeys -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPXz+Is3M5skoND9nEQIXPACcCzCW4ppY4M9ru811cluT0Yn7Db8AoIn2 85G+j2ZLzesFKk3FwQtDeWoM =km0Y -----END PGP SIGNATURE-----
attached mail follows:
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 13:22:55 PDT