Microsoft Security Bulletin MS00-043

Technical description:

A component shared by Outlook and Outlook Express, Inetcomm.dll, contains an unchecked buffer in the functionality that parses e-mail headers when downloading mail via either POP3 or IMAP4. By sending an e-mail that overruns the buffer, a malicious user could cause either of two effects to occur when the mail was downloaded from the server by an affected e-mail client:

• If the affected field were filled with random data, the e-mail could be made to crash.
• If the affected field were filled with carefully-crafted data, the e-mail client could be made to run code of the malicious user's choice. The vulnerability affects all Outlook Express users and all Outlook users whose mail clients are configured to use either POP3 or IMAP4. Outlook users who have configured Outlook to use only MAPI services are unlikely to be affected by the vulnerability. Despite this, Microsoft recommends that such customers apply one of the corrective steps discussed in the Patch Availability section, primarily because the patch protects against other vulnerabilities that affect all Outlook users, regardless of the mail protocol they use.

A version of Inetcomm.dll that is not affected by the vulnerability ships as part of Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5. Customers who do not wish to upgrade to Outlook Express 5.5 should install the patch provided below.

Inetcomm.dll is used by both Outlook Express and Outlook, and is distributed and updated as part of Internet Explorer and Outlook Express. Thus, customers who use Outlook should install the patch or version upgrade appropriate to the version of Internet Explorer and Outlook Express that is present on their machines

What's this bulletin about?
Microsoft Security Bulletin MS00-043 announces the availability of a patch that eliminates a vulnerability in Microsoft® Outlook® and Outlook Express. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit the vulnerability to send an e-mail that, when downloaded from the mail server, would have either of two effects. In the less serious case, it could cause Outlook or Outlook Express to fail. In the more serious case, it could cause code of the malicious user's choice to execute on the recipient's computer. Such code could take any action that the user was authorized to take on the machine, including reformatting the hard drive, communicating with an external web site, or changing data on the computer.
There are two primary restrictions on the vulnerability:

• The vulnerability is eliminated by recently-released versions of Internet Explorer. Specifically, a default installation of Internet Explorer 5.01 Service Pack 1 will eliminate the vulnerability for all customers, and a default installation of Internet Explorer 5.5 will eliminate it for all but Windows 2000 users.
• The vulnerability only affects certain mail protocols. Specifically, it does not affect the protocol used by default when Outlook is used with Microsoft Exchange Server. This would tend to reduce the risk posed to corporate networks, although, as discussed below, Microsoft recommends that all customers take corrective action.

What causes the vulnerability?
The vulnerability results because a component used by both Outlook and Outlook Express contains an unchecked buffer in the module that interprets e-mail header fields when certain e-mail protocols are used to download mail from the mail server. This could allow a malicious user to send an e-mail that, when retrieved from the server using an affected product, could cause code of his choice to run on the recipient's computer.

What's an unchecked buffer, and why does it cause the vulnerability?
A buffer is a storage area within a program. When a program reads an input, it stores it within a buffer in the program's memory. However, it's important to ensure that the data will actually fit into the buffer before attempting to store it in the buffer, or a buffer overrun condition can result.
In a buffer overrun, the length of the data exceeds the length of the buffer, and this has the effect of enabling new code to be introduced into the program. In the vulnerability at issue here, the buffer overrun would enable new code to be introduced into either Outlook or Outlook Express, while they are running. The new code would be limited only by the user's authorizations on the computer - anything the user was authorized to do on the computer, the new code could do as well.

What's an e-mail header?
Mail servers and clients need information that tells them how to process incoming and outgoing e-mails. This information is provided in header fields within the mail. Examples of the type of information contained in e-mail header fields include the sender's and receiver's addresses, the time at which the mail was sent, and the name of the mail server that received the mail.
In the vulnerability at issue here, Outlook and Outlook Express don't correctly check the length of one of the e-mail header fields before inserting it into a buffer for processing, when either POP3 or IMAP4 are used to download the mail.

What's POP3? What's IMAP4?
POP (Post Office Protocol) and IMAP (Internet Mail Access Protocol) are two commonly-used protocols that provide mail services. (The numbers at the end of POP3 and IMAP4 refer to the version of the protocol). POP3 is most frequently used for Internet mail. If you use an Internet service provider (ISP) to receive mail, it's likely that your mail client communicates with the server via POP3. IMAP4 is also used for Internet mail, but is not as widely used as POP3. It is, however, prevalent in academic networks.

Is this a problem in the POP3 or IMAP4 protocols?
No. The problem lies in how the protocols are implemented in the component that provides POP3 and IMAP4 support for Outlook and Outlook Express.

Are there any other mail protocols available in Outlook and Outlook Express?
For Outlook Express, only POP3 and IMAP4 are available. However, Outlook also can use MAPI (Messaging Application Programming Interface), which is not affected by the vulnerability. This serves to significantly reduce the scope of the vulnerability, at least for Outlook users. Outlook users who use only MAPI to communicate with their mail server are unlikely to be affected by this vulnerability.

I use Outlook. How can I tell if it's configured to use MAPI?
In general, customers who use Outlook as their e-mail client and Exchange Server as their mail server will be configured to use MAPI. However, it's important to ensure that you are using only MAPI. Here's how to do this:

• First, verify that Outlook is configured to use MAPI. To do this, open Outlook, then select "About Microsoft Outlook" from the Help menu. If the second line in the resulting dialogue box says "Corporate or Workgroup", you're using MAPI.
• Next, verify that Outlook isn't configured to use POP3 or IMAP4. Go to the Tools menu in Outlook, then select Services. If "Internet E-mail" is not listed among the services, you are running only MAPI, and are not affected by this vulnerability.

If I'm using Outlook and it's configured to use only MAPI, do I need to take any action?
You still need to take action against this vulnerability. The most important reason is because the corrective steps discussed in the Patch Availability section of the bulletin eliminate not only the specific vulnerability at issue here, but others as well. These other vulnerabilities are discussed in Microsoft Security Bulletins MS00-045 and MS00-046. In particular, the vulnerability discussed in MS00-046 affects all Outlook users, regardless of what mail protocol they use.
In addition, there are some unusual scenarios in which it could be possible to be affected by this vulnerability even if you use only MAPI. These scenarios are much more complicated and less likely to succeed than those described above. However, because such cases do exist, we recommend that all users take corrective action.

How could a malicious user exploit this vulnerability?
The malicious user would need to create an e-mail addressed to another user, use a hexadecimal editor to change the affected e-mail header, then send it to the other user. If the recipient was using an affected mail client, and it was using either POP3 or IMAP4 to communicate with the mail server, the data in the e-mail header would overrun the buffer when it was downloaded from the server.
The effect of the overrun would depend on the data that the malicious user had put into the e-mail header. If it were random data, the effect would be to cause the mail client to fail. However, if it were carefully selected, it could be used to make the mail client perform other functions of the malicious user's choice.

Would I need to open the mail to be affected by the vulnerability?
No. The vulnerability would be exploited when the mail was being retrieved from the server - that is, before it even appeared in your inbox.

If my mail client failed as a result of this vulnerability, what would I need to do?
You could restart Outlook or Outlook Express, but the offending mail would still be on the server. The next time you retrieved mail from the server, it would cause your mail client to fail again. To resolve the situation, you'd need to ask the mail server's administrator to delete the mail for you.

Would this vulnerability cause any damage to the mail server?
No. The vulnerability lies entirely within the mail clients at issue, and wouldn't have any effect on the server.

How can I tell if I'm vulnerable to this issue?
You are not affected by the vulnerability if any of the following are true:

• You have performed a default installation Internet Explorer 5.01 Service Pack 1 on your system.
• You have performed a default installation Internet Explorer 5.5 on your system and your system is not Windows 2000.
• You have installed the patch discussed in either Microsoft Security Bulletin MS00-045 or MS00-046.

If none of the above apply to you, you should install the patch.

What's the significance of having a default installation of IE 5.01 SP1 or IE 5.5?
The component at issue here (inetcomm.dll) is installed only if Outlook Express is installed as part of the IE installation. This is the default condition. If you choose a minimal installation, or if you choose a custom installation and de-select the option to upgrade Outlook Express, you'll still be vulnerable.

Why doesn't IE 5.5 eliminate the vulnerability for Windows 2000 users?
IE 5.5, when installed as part of Windows 2000, doesn't include Outlook Express 5.5. However, Windows 2000 users who have installed IE 5.5 have three options for eliminating the vulnerability:

• Install the patch discussed in the bulletin.
• Uninstall IE 5.5 (using the Add/Remove Programs function in Control Panel), and then install IE 5.01 SP1
• Install Windows 2000 Service Pack 1 when available. Windows 2000 SP1 will include Outlook Express 5.5

All of the corrective actions in the bulletin seem to affect Outlook Express, but I don't see a patch for Outlook. Why is this?
The component that contains the vulnerability, Inetcomm.dll, is used by both Outlook and Outlook Express, but it ships as part of Outlook Express. As a result, the solution for all users is the same -- apply a patch to Outlook Express or install a new version of Outlook Express. Once this is done, the corrected version of Inetcomm.dll will be in place and available for use by both Outlook and Outlook Express. The Office Update web site has more information on what Outlook users should do.

What is Microsoft doing about this issue?

• Microsoft has delivered upgrades and a patch that eliminate the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

Download locations for this patch The vulnerability can be eliminated by taking any of the following actions:

• Contacting Microsoft Product Support
• Performing a default installation of Internet Explorer 5.01 Service Pack 1.
• Performing a default installation of Internet Explorer 5.5 on any system except Windows 2000. Note: The patch requires IE 5.01 or IE 4.01 SP2 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q267884.

  Note: The vulnerability eliminated by this patch occurs in a component that is used by both Microsoft Outlook and Outlook Express, and is distributed as part of Internet Explorer and Outlook Express. Customers who use Outlook should install the patch or version upgrade appropriate to the version of Internet Explorer and Outlook Express that is present on their machines.

  Note: In addition to eliminating the vulnerability at issue here, the patch above also eliminates all vulnerabilities discussed in Microsoft Security Bulletins MS00-045 and MS00-046. Customers who already have taken the corrective action discussed in either of these bulletins do not need to take any additional action.

  Note Additional security patches are available at the Microsoft Download Center