[MS02-067] E-mail Header Processing Flaw....


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: E-mail Header Processing Flaw Could Cause Outlook 2002

to Fail (331866)

Date: 04 December 2002

Software: Microsoft Outlook 2002

Impact: Denial of Service

Max Risk: Moderate

Bulletin: MS02-067

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/...in/MS02-067.asp

http://www.microsoft.com/security/security...ns/MS02-067.asp

- ----------------------------------------------------------------------

Issue:

======

Microsoft Outlook provides users with the ability to work with

e-mail, contacts, tasks, and appointments. Outlook e-mail handling

includes receiving, displaying, creating, editing, sending, and

organizing e-mail messages. When working with received e-mail

messages, Outlook processes information contained in the header of

the e-mail which carries information about where the e-mail came

from, its destination, and attributes of the message.

A vulnerability exists in Outlook 2002 in its processing of e-mail

header information. An attacker who successfully exploited the

vulnerability could send a specially malformed e-mail to a user of

Outlook 2002 that would cause the Outlook client to fail under

certain circumstances. The Outlook 2002 client would continue to

fail so long as the specially malformed e-mail message remained on

the e-mail server. The e-mail message could be deleted by an e-mail

administrator, or by the user via another e-mail client such as

Outlook Web Access or Outlook Express, after which point the

Outlook 2002 client would again function normally.

Mitigating Factors:

====================

- Outlook 2002 clients connecting to e-mail servers using the

MAPI protocol are not affected. Only Outlook 2002 clients using

POP3, IMAP, or WebDAV protocols are vulnerable.

- The vulnerability does not affect Outlook 2000 or Outlook Express.

- The vulnerability is a denial of service vulnerability only.

The attacker would not be able to access the user?s e-mail or

system in any way. The vulnerability could not be used to read,

delete, create, or alter the user?s e-mail.

- If an attacker was able to send a specially malformed e-mail that

successfully exploited this vulnerability, the specially

malformed e-mail could be deleted either by an e-mail

administrator, or by the user via another e-mail client such as

Outlook Web Access or Outlook Express. Once the specially

malformed e-mail has been removed, normal operation would resume.

Risk Rating:

============

- Moderate

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-067.asp

for information on obtaining this patch.

Acknowledgment:

===============

- Richard Lawley

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.