OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Product Security (secnotifMICROSOFT.COM)
Date: Thu Feb 22 2001 - 21:36:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
                        ********************************

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: Outlook, Outlook Express Vcard Handler Contains
                Unchecked Buffer
    Date: 22 February 2001
    Software: Outlook, Outlook Express
    Impact: Run code of attacker's choice
    Bulletin: MS01-012

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-012.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    Outlook Express provides several components that are used both by it
    and Outlook, if Outlook is installed on the machine. One such
    component, used to process vCards, contains an unchecked buffer.

    By creating a vCard and editing it to contain specially chosen data,
    then sending it to another user, an attacker could cause either of
    two effects to occur if the recipient opened it. In the less serious
    case, the attacker could cause the mail client to fail. If this
    happened, the recipient could resume normal operation by restarting
    the mail client and deleting the offending mail. In the more serious
    case, the attacker could cause the mail client to run code of her
    choice on the user's machine. Such code could take any desired
    action, limited only by the permissions of the recipient on the
    machine.

    Because the component that contains the flaw ships as part of OE,
    which itself ships as part of IE, the patch is specified in terms of
    the version of IE rather than OE or Outlook.

    Mitigating Factors:
    ====================
     - There is no means by which a Vcard could be made to open
       automatically.

    Patch Availability:
    ===================
     - A patch is available to fix this vulnerability. Please read the
       Security Bulletin
       http://www.microsoft.com/technet/security/bulletin/ms01-012.asp
       for information on obtaining this patch.

    Acknowledgment:
    ===============
     - Ollie Whitehouse of Stake (www.atstake.com)

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
    CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
    MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
    OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
    THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOpXajo0ZSRQxA/UrAQHE/wf/UAy7GXCnezaGbWOjxjpgK5vuhCs/e37J
    3hfsPFLqtxMqA/1L0OtnkhSlGIjIciwkCD0A7Uq6wFp+deA/Squ+zCrucZHGwBGr
    Czw/7+W7lZ7FzZBF2jbs6ZNjyM3jyYE8TalsMlOFO3SXwXdX1j/PEeJ3jC5dnYuj
    d1mjvCMGjdhFSFm0zcOVPhOPci4AXjGNSah5tJIu2u5gzCnfCh7DEurMajr5cjnY
    qLq6tMEwgninJJNIxSjl6p5v9Va0rlZ+du6SDfYoSgC2cXgxWe7uo9qFrkzxK9ER
    BzVhwe37jOp21P6qkCB5Rbymvrbr3748SHcoBMTXHZ1M0WZFe92oXg==
    =2/Vm
    -----END PGP SIGNATURE-----

       *******************************************************************
    You have received this e-mail bulletin as a result of your registration
    to the Microsoft Product Security Notification Service. You may
    unsubscribe from this e-mail notification service at any time by sending
    an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
    The subject line and message body are not used in processing the request,
    and can be anything you like.

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    For more information on the Microsoft Security Notification Service
    please visit http://www.microsoft.com/technet/security/notify.asp. For
    security-related information about Microsoft products, please visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.