************************************************************************* Security Bulletin 9823 DISA Defense Communications System August 17, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Microsoft ! ! Product Security Response Team and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Microsoft Security Bulletin (MS98-008) -------------------------------------------------------------- Long Filename Attachment Vulnerability affecting Microsoft (R) Outlook (TM) 98 and Microsoft Outlook Express 4.x Last Revision: August 11, 1998 Summary ======= Recently Microsoft was notified by AUSCERT (http://www.auscert.org.au), OUSPG (http://www.oulu.fi/Welcome.html) and NTBugtraq (http://ntbugtraq.ntadvice.com) of a security vulnerability affecting the way Microsoft email clients handle file attachments with extremely long file names. On July 27th Microsoft published patches for Outlook 98 and Outlook Express 4.x that fixed the vulnerability reported to us by OUSPG. As part of our on-going security review process and analysis, we discovered a variant of the original vulnerability, and on August 11th, we posted updated versions of the patches that addresses all known vulnerabilities. Microsoft strongly recommends that all users download the appropriate updated patch to be protected against these vulnerabilities. Note: Customers should obtain these patches by downloading them from the Web sites listed below, or through some other trusted mechanism, such as through their ISP. While Microsoft has been sending email notifications to their customers to alert them to this issue and the availability of a patch, Microsoft does not send the patches in the email. Customers who receive an email with an attachment that claims to be a patch, should not install it. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email client to shut down unexpectedly. These very long filenames do not normally occur in mail or news messages, and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious email message to run arbitrary computer code contained in the long string. This issue can cause one of the following to occur when attempting to download, open or view an mail or news message in Microsoft Outlook 98 or Microsoft Outlook Express 4.x that has an attachment with a very long filename. An error message similar to the following may be displayed: This program has performed an illegal operation and will be shut down. If the problem persists, contact the program vendor. Outlook 98 or Outlook Express may terminate unexpectedly. Affected Software Versions ========================== - Outlook 98 on Windows (R) 95, Windows 98 and Microsoft Windows NT (R) 4.0 - Outlook Express 4.0, 4.01 (including Outlook Express 4.01 with Service Pack 1) on Windows 95, Windows 98 and Windows NT 4.0 - Outlook Express 4.01 on Solaris - Outlook Express 4.01 on the Macintosh Additional Details ================== Outlook 98 ---------- When Outlook 98 attempts to download a mail or news message with a file attachment that has a filename greater than a certain length, Outlook could terminate unexpectedly. The user does not have to open the message or attachment in order for this to occur. This issue affects all users of Outlook 98. Outlook 97 is not affected by this issue. Outlook Express 4.x ------------------- When the user attempts to open an attachment in Outlook Express mail or news client and the attachment has a filename longer than a certain number of characters, the client could terminate unexpectedly. Outlook Express 4.01 for Microsoft Windows 3.1 and Windows NT 3.51 are not affected by this issue. What Microsoft is Doing ======================= On July 27th Microsoft published patches for Outlook 98 and Outlook Express 4.x that fixed the vulnerability reported to us by OUSPG. This vulnerability was caused by improper handling of file attachments with very long filenames in Outlook 98 and Outlook Express 4.x. As part of our on-going security review process and analysis, we discovered a variant of the original vulnerability. On August 11th, we posted updated versions of the patches originally posted on July 27th, which fixes all known vulnerabilities. Microsoft has sent this security bulletin (MS98-008) to the Microsoft Product Security Notification Service. (See http://www.microsoft.com/security/bulletin.htm for more information about this free customer service). Microsoft has also sent an email alert to all registered users of Outlook 98 and Outlook Express. In addition, Microsoft has notified CERT, an industry security organization, which distributes information to corporate, government and end-users. What customers should do ======================== Microsoft highly recommends that customers download and apply the appropriate updates listed below. Note: Customers should obtain these patches by downloading them from the Web sites listed below, or through some other trusted mechanism, such as through their ISP. While Microsoft has been sending email notifications to their customers to alert them to this issue and the availability of a patch, Microsoft does not send the patches in the email. Customers who receive an email with an attachment that claims to be a patch should not install it. Microsoft Outlook 98 -------------------- Customers using Microsoft Outlook 98 for Windows 95, Windows 98 or Windows NT 4.0 should download the updated Outlook 98 patch from Office Update at http://www.microsoft.com/outlook/enhancements/outptch2.asp Localized versions of the Outlook 98 patch will be released shortly. Microsoft Outlook Express 4.x ----------------------------- Customers using Outlook Express 4.0 that comes with Internet Explorer 4.0 on Windows 95, Windows 98 or Windows NT 4.0 must first upgrade to Internet Explorer 4.01 SP1 (http://www.microsoft.com/ie/download), then install the Outlook Express updated patch listed below. Customers using Microsoft Outlook Express 4.01 or 4.01 SP1 for Windows 95, Windows 98, Windows NT 4.0 or the Macintosh should download the available updated patch from the Internet Explorer security Web site, http://www.microsoft.com/ie/security/oelong.htm Windows 98 customers can also get the updated Outlook Express patch using the Windows Update feature of Windows 98. For more information, please visit the Windows Update site, http://windowsupdate.microsoft.com The patch for Microsoft Outlook Express 4.01 for Solaris will be released shortly. When this patch is available, it will be announced at http://www.microsoft.com/security Localized versions of the Outlook Express 4.x patch will be released shortly. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-008, Long Filename Attachment Vulnerability affecting Microsoft Outlook 98 and Microsoft Outlook Express 4.x (the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-008.htm - Microsoft Media Alert, E-mail Security Issue, July 29, 1998, http://www.microsoft.com/presspass/press/1998/jul98/securpr.htm - Microsoft Internet Explorer Security Web Site, http://www.microsoft.com/ie/security - Microsoft Internet Explorer Security Bulletin, "Fix available for Outlook Express File Attachment issue," http://www.microsoft.com/ie/security/oelong.htm - Updated Patch for Outlook 98 Security Issue, http://www.microsoft.com/outlook/enhancements/outptch2.asp - Frequently Asked Questions, http://www.microsoft.com/security/bulletins/emailfaq.htm Revisions ========= July 27, 1998: Bulletin Created. July 29, 1998: Bulletin Updated. August 11, 1998: Include information on updated patch. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ---------------------------------------------------------------------------- ---- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (C) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.