Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5745.htm

Outlook Express Remote Code Execution in Preview Pane



14th Oct 2002 [SBWID-5745]
COMMAND

	Outlook Express Remote Code Execution in Preview Pane (S/MIME)

SYSTEMS AFFECTED

	 Outlook Express version 5.50

	 Outlook Express version 6.0

	

	Immune versions:
	

	 Outlook Express 5.5 SP2

	 Outlook Express 6.0 SP1 (included in Windows XP SP1)

	 Microsoft Outlook

PROBLEM

	In Noam Rathaus [noamr@beyondsecurity.com] advisory :
	

	 http://www.securiteam.com/windowsntfocus/6D00B005PU.html

	

	

	S/MIME has been implemented in Outlook  Express  in  accordance  to  RFC
	2311  (http://www.ietf.org/rfc/rfc2311.txt?number=2311).  As   the   RFC
	states, an error message should be displayed whenever the  "From"  field
	of the letter does not match that of the  S/MIME  RFC822  Name  (in  our
	example it will be noamr@beyondsecurity.com).
	

	The following error message will be displayed whenever such an  incident
	occurs (The fake email address has been set to "Fake"):
	

	-----------------------------------

	Security Warning 

	 

	There are security problems with this message.

	Please review the highlighted items listed below:  

	

	(V) Message has not been tampered with 

	(V) You do trust the signing digital ID 

	(V) The digital ID has not expired 

	(X) The digital ID's e-mail address does not match sender's 

	 Signer: noamr@beyondsecurity.com 

	 Sender: Fake

	(V) The digital ID has not been revoked or revocation information for

	this 

	certificate could not be determined. 

	(V) There are no other problems with the digital ID 

	-----------------------------------

	

	Ironically, this message warning is where  the  vulnerability  lies.  An
	overflow in the code that tries to place the sender's email  address  in
	the  message  allows  arbitrary  code  execution,  which  is   triggered
	whenever a user views the message. Watching it in the  preview  pane  is
	sufficient to trigger the overflow.
	

	

SOLUTION

	Microsoft has responded promptly and the fix  was  included  in  Service
	Pack 1 for Windows XP released a  few  weeks  ago.  A  patch  for  other
	systems is available at:
	

	http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH