• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability

Severity: HIGH

Description:

Some versions of Microsoft Outlook and Outlook Express are vulnerable to buffer overflow attacks where a remote user is capable of executing arbitrary code on an email recipient's system.

The problem lies in how Outlook and Outlook Express handles the parsing of the GMT section of the date field in the header of an email when downloading via POP3 or IMAP4. This process is handled by INETCOMM.DLL. Improper bounds checking exists on the token represented by GMT.

A malicious user may send a specially crafted message containing an unusually long value for the GMT field. When downloaded, the buffer overflow condition will be exploited, corrupting process memory. By modifying values used to restore some CPU registers, the process may be forced to execute attacker specified code included in the GMT field. Transmitting random data may cause the application to crash, resulting in a denial of service condition.

This can also be achieved by encoding the specially formed GMT field as a MIME attachment in Outlook's MIME attached message format.

Exploitation will result in arbitrary code being executed on the system, with the privileges of the client process. Once local access is obtained, elevated privileges may be significantly easier to obtain.

Affected Products:

• Microsoft Outlook 2000 0.0.0
• Microsoft Outlook 97 0.0.0
• Microsoft Outlook 98 0.0.0
• Microsoft Outlook Express 4.0.0
• Microsoft Outlook Express 4.0.01 SP2
• Microsoft Outlook Express 5.0.0
• Microsoft Outlook Express 5.0.01

References:

• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS00-043)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.