__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Outlook VCard Unchecked Buffer Vulnerability February 26, 2001 22:00 GMT Number L-050 ______________________________________________________________________________ PROBLEM: An unchecked buffer in the Virtual business card application (VCard) could enable an attacker to run the code of his choice. PLATFORM: Microsoft Outlook, Outlook Express DAMAGE: Damage is limited to the account privileges of the e-mail recipient. Further, it cannot be exploited remotely. Like malicious code, the recipient must be persuaded to open/execute the VCard. SOLUTION: Apply the Microsoft patches described below. ______________________________________________________________________________ VULNERABILITY MEDIUM. The potential damage of this exploit is limited to the ASSESSMENT: account privileges of the recipient. In addition, it requires more than random characters to be inserted for the buffer overflow, and it requires the user of the system to execute it. This is not remotely exploitable. ______________________________________________________________________________ [****** Start Microsoft Advisory ******] -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Outlook, Outlook Express Vcard Handler Contains Unchecked Buffer Date: 22 February 2001 Software: Outlook, Outlook Express Impact: Run code of attacker's choice Bulletin: MS01-012 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-012.asp. - ---------------------------------------------------------------------- Issue: ====== Outlook Express provides several components that are used both by it and Outlook, if Outlook is installed on the machine. One such component, used to process vCards, contains an unchecked buffer. By creating a vCard and editing it to contain specially chosen data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of her choice on the user's machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. Because the component that contains the flaw ships as part of OE, which itself ships as part of IE, the patch is specified in terms of the version of IE rather than OE or Outlook. Mitigating Factors: ==================== - There is no means by which a Vcard could be made to open automatically. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-012.asp for information on obtaining this patch. Acknowledgment: =============== - Ollie Whitehouse of @Stake (www.atstake.com) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOpXajo0ZSRQxA/UrAQHE/wf/UAy7GXCnezaGbWOjxjpgK5vuhCs/e37J 3hfsPFLqtxMqA/1L0OtnkhSlGIjIciwkCD0A7Uq6wFp+deA/Squ+zCrucZHGwBGr Czw/7+W7lZ7FzZBF2jbs6ZNjyM3jyYE8TalsMlOFO3SXwXdX1j/PEeJ3jC5dnYuj d1mjvCMGjdhFSFm0zcOVPhOPci4AXjGNSah5tJIu2u5gzCnfCh7DEurMajr5cjnY qLq6tMEwgninJJNIxSjl6p5v9Va0rlZ+du6SDfYoSgC2cXgxWe7uo9qFrkzxK9ER BzVhwe37jOp21P6qkCB5Rbymvrbr3748SHcoBMTXHZ1M0WZFe92oXg== =2/Vm -----END PGP SIGNATURE----- [****** End Microsoft Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-040: The Ramen Worm L-041: Microsoft Hotfix Packaging Anomalies L-042: Compaq Web-enabled Management Software Buffer Overflow L-043: Microsoft NTLMSSP Privilege Elevation Vulnerability L-044: Microsoft Network DDE Agent Request Vulnerability L-045: Red Hat Linux 'sysctl, ptrace, & mxcsr P4 ' Vulnerability L-046: The VBS.AnnaKournikova Worm L-047: OpenSSH SSH1 Coding Error and Server Key Vulnerability L-048: Red Hat Linux "vixie-cron buffer overflow username crontab" L-049: Microsoft "Malformed Request to Domain Controller"