[NT] Outlook Express Cumulative Security Update (MS04-18)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[NT] Microsoft Windows Task Scheduler '.job' Stack Overflow"
    To: list@securiteam.com
    Date: 14 Jul 2004 16:29:52 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Outlook Express Cumulative Security Update (MS04-18)
    ------------------------------------------------------------------------

    SUMMARY

    This update resolves a public vulnerability. A denial of service
    vulnerability exists in Outlook Express because of a lack of robust
    verification for malformed e-mail headers. If a user is running Outlook
    Express and receives a specially crafted e-mail message, Outlook Express
    would fail. If the preview pane is enabled, the user would have to
    manually remove the message, and then restart Outlook Express to resume
    functionality.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows NT Workstation 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
    Pack 3, Microsoft Windows 2000 Service Pack 4
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (Me)

    Affected Components:
     * Microsoft Outlook Express 5.5 Service Pack 2 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=9A8D1BF2-93C5-41A9-B79A-31D54743BA0E&displaylang=en> Download the update

     * Microsoft Outlook Express 6 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=D5900DF1-10AB-4850-9064-3070CE1F948A&displaylang=en> Download the update

     * Microsoft Outlook Express 6 Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=AD6A96BC-DAF0-4EAB-89B8-BD702B3E3E5D&displaylang=en> Download the update

     * Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=ADCCF304-6CFC-48D6-9A3F-2A601C3A04A5&displaylang=en> Download the update

     * Microsoft Outlook Express 6 on Windows Server 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C99AAFCD-B99B-4B13-A366-5F8EDC83633F&displaylang=en> Download the update

     * Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=10D1AAD0-0313-4BEB-A174-84CF573F31FD&displaylang=en> Download the update

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0215>
    CAN-2004-0215

    A denial of service vulnerability exists that could allow an attacker to
    send a specially crafted e-mail message causing Outlook Express to fail.
    The DoS is possible due to a bug with how Outlook Express parses E-mail
    headers. A malformed E-mail header can then be used to exploit this
    vulnerability.

    Mitigating Factors for Malformed E-mail Header Vulnerability
     * The following versions of Outlook Express are not affected by this
    vulnerability:
       * Microsoft Outlook Express 5.5SP2
       * Microsoft Outlook Express 6 SP1
       * Microsoft Outlook Express 6 SP1 (64-Bit Edition)
       * Microsoft Outlook Express 6 on Windows Server 2003
       * Microsoft Outlook Express 6 on Windows Server 2003 (64-Bit Edition)

     * If the preview pane is not enabled, the malicious e-mail message would
    have to be opened by the user for Outlook Express to fail.

    Workarounds for Malformed E-mail Header Vulnerability
     * Disable the preview pane

        Disabling the preview pane will prevent the malicious e-mail message
    from causing Outlook Express to fail on each restart. To disable the
    preview pane, follow these steps:
         * In Outlook Express, click View, and then click Layout.
         * Click to clear the Show Preview Pane check box, and then click OK.

    Frequently Asked Questions for Malformed E-mail Header Vulnerability
    What is the scope of the vulnerability ?
    This is a denial of service vulnerability. An attacker who exploited this
    vulnerability could cause Outlook Express to fail. A user would have to
    manually remove the e-mail message, and then restart Outlook Express to
    restore functionality.

    What causes the vulnerability ?
    The method used by Outlook Express to validate malformed e-mail headers.

    What is an e-mail header ?
    Mail servers and clients must have information that tells them how to
    process incoming and outgoing e-mail messages. This information is
    provided in header fields within the e-mail message. Examples of the type
    of information that is contained in e-mail header fields include the
    sender's e-mail address, the recipient s e-mail addresses, the time that
    the e-mail was sent, and the name of the mail server that received the
    e-mail message.

    What might an attacker use the vulnerability to do ?
    An attacker who successfully exploited this vulnerability could cause
    Outlook Express to fail unexpectedly.

    Who could exploit the vulnerability ?
    Any user who could deliver a specially crafted message to the affected
    user s e-mail account could attempt to exploit this vulnerability.

    How could an attacker exploit the vulnerability ?
    An attacker could exploit the vulnerability by creating a specially
    crafted e-mail message, and then sending the message to an affected user's
    e-mail account. If the affected user opens the message, it could cause
    Outlook Express to fail.

    I have the preview pane enabled. How can I remove the malicious e-mail
    message without Outlook Express failing when it starts ?
    You can disable the preview pane without starting Outlook Express by
    editing the registry. The following steps demonstrate how to disable to
    preview pane in Outlook Express:

    Note Using Registry Editor incorrectly can cause serious problems that may
    require you to reinstall your operating system. Microsoft cannot guarantee
    that problems resulting from the incorrect use of Registry Editor can be
    solved. Use Registry Editor at your own risk and preferably back it up
    prior to performing any modifications.

     * Click Start, click Run, type "regedt32" (without the quotation marks),
    and then click OK.
     * In Registry Editor, locate the following registry key:
    HKCU\Identities\{Identity GUID}\Software\Microsoft\OutLook
    Express\5.0\Mail\
     * Click the ShowHybridView data value, click Edit, and change the DWORD
    value to 0.
     * Click OK and then restart Outlook Express.

    What systems are primarily at risk from the vulnerability ?
    Systems where Outlook Express 6.0 is used to read e-mail messages, such as
    workstations and terminal servers, are primarily at risk from this
    vulnerability.

    What does the update do ?
    The update removes the vulnerability by modifying the way that Outlook
    Express validates e-mail headers.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed ?
    Yes. This vulnerability has been publicly disclosed. It has been assigned
    Common Vulnerability and Exposure number
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0215>
    CAN-2004-0215.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited ?
    No. Microsoft had seen examples of proof of concept code published
    publicly but had not received any information indicating that this
    vulnerability had been publicly used to attack customers when this
    security bulletin was originally issued.

    Does applying this security update help protect customers from the code
    that has been published publicly that attempts to exploit this
    vulnerability ?
    Yes. This security update addresses the vulnerability that is currently
    being exploited. The vulnerability that has been addressed has been
    assigned the Common Vulnerability and Exposure number
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0215>
    CAN-2004-0215.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Microsoft Windows Task Scheduler '.job' Stack Overflow"