Home PageEnter the Online ShopCipher-IT ProductsServicesCipher-IT SolutionsAbout Cipher-ITContact us

Microsoft’s Outlook Bug Exposes Internet
 A massive hole in Microsoft's ubiquitous mail program could lead to
email-borne havoc

A newly discovered vulnerability in Microsoft's Outlook and Outlook Express programs leave thousands of computers open to attack from malicious email, and puts the lie to the conventional wisdom that you can't get a computer virus if you don't open

The bug, which is known to affect Windows 95, 98 and NT, is a classic "buffer overflow" error in the section of Outlook that passes the Date field of each incoming email. By padding the date with a long string of characters, an attacker can escape from the area of memory reserved for storing it, and into a section that executes instructions. From there, the attacker's email could secretly infect a victim computer with a "back door" program like Back Orifice, or instruct it to send the offending email back out to the net like the LoveLetter virus.

The vulnerability doesn't require any attachment to the email; Outlook users need only read a message to be hit. Outlook Express users are even more vulnerable, and can fall prey to malicious code without reading the message, or even being at their computer when it comes in.

"This has the potential to be the worst one we've seen yet," said Brian Martin, a senior security engineer at Maryland-based Digital Systems International Corporation. "If this can execute as soon as the mail is received, oh man, that's just perfect."

Love Redux

Based on a hurried analysis, Martin said that the bug could likely be used to launch massive attacks on vast numbers of machines at a time. "What if you had a mail list with thousands of people and you posted to that?," said Martin. "One well-placed email and you can probably infect thousands of people with a Back Orifice or a NetBus." 'There are probably a dozen people each figuring out the best ways to exploit this. ' -- Brian Martin, DSIC

Aaron Drew discovered the vulnerability, and posted the details to the Bugtraq mailing list on Tuesday, along with code that ostensibly demonstrates the bug. MSNBC reports that the hole was also discovered over a month ago by researchers at USSR Labs, which also boasts working exploit code. Both the news service and the security group kept it a secret while awaiting a Microsoft fix.

As of Tuesday evening, Microsoft had not yet issued a patch, and the company's PR firm could not be reached for comment. Email to Microsoft's security team went unanswered.

Please feel free to email us - support@cipher-it.co.uk
 

Images and content are copyright to Cipher-IT Ltd

Site designed by Cipher-IT Ltd