Microsoft Security Bulletin MS01-012

Technical description:

Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer.

By creating a vCard and editing it to contain specially chosen data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of her choice on the user's machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine.

Because the component that contains the flaw ships as part of OE, which itself ships as part of IE, the patch is specified in terms of the version of IE rather than OE or Outlook.

Mitigating Factors

• There is no means by which a vCard could be made to open automatically, so the attacker would need to entice the recipient into opening the mail, then opening the vCard. As always, best practices recommend against opening untrusted e-mail attachments.

Vulnerability identifier: CAN-2001-0145

What's the scope of this vulnerability? 
This is a buffer overrun vulnerability. If an attacker created a vCard containing specially malformed data and then emailed it to someone who uses an affected version of Outlook or Outlook Express, the data in the vCard could, when opened, could cause code of the attacker's choice to run on the recipient's machine. Such code could take any action the user himself could take, including adding, changing or deleting data, communicating with web sites, reformatting the disk drive, and other actions.
There is no capability via this vulnerability to cause a vCard to open automatically. As a result, the attacker would need to persuade the recipient to open the vCard.

What causes the vulnerability? 
There is an unchecked buffer in a component of Outlook Express that processes vCards. By sending a vCard that contains specially chosen data in one of the fields, an attacker could overrun the buffer and cause code of her choice to run when the vCard was opened.

If this is a vulnerability in a component of Outlook Express, why is Outlook affected? 
The affected component ships as part of Outlook Express, but is shared by Outlook. As a result, Outlook, if installed, is also affected by this vulnerability.

What's the difference between Outlook and Outlook Express? 
Outlook Express (OE) is a free, basic mail client that ships as part of Internet Explorer. By default, OE is installed on every Windows system. In contrast, Outlook is a full-featured mail client that ships both as a stand-alone product and as part of the Office family. It's only installed on a machine if the user has specifically installed it.

What's a vCard? 
VCards are virtual business cards - business cards that can be sent via e-mail, and added to the Contacts folder in Outlook and Outlook Express. VCards are typically sent as attachments to e-mails.

What's wrong with the way Outlook Express and Outlook handle vCards? 
The component that processes vCards when they're opened contains an unchecked buffer. As a result, by editing a vCard to include excessively long data in one of the card's fields, an attacker could cause a buffer overrun to occur when the vCard was subsequently opened.

What would this enable the attacker to do? 
Buffer overrun vulnerabilities typically can be exploited in either of two ways. If the buffer is overrun with random data, the application tends to fail. However, if it's overrun with specially chosen data, it's possible to, in essence, change the functionality of the application - in this case, OE or Outlook - while it's running.
In this case, the former attack (overrunning the buffer with random data) wouldn't accomplish much, except to cause the mail client to fail. If this happened, the user could just restart it, delete the offending mail, and continue working. However, the latter attack would allow the attacker to make OE or Outlook do whatever she wanted on the machine of the person who opened the vCard, limited only by the recipient's permissions on the machine. If the recipient had few privileges on the machine, the code might be able to do very little. On the other hand, if the recipient had administrative privileges on the machine, the code could do virtually anything on the machine.

Could the attacker make a vCard open automatically? 
No. Only the recipient could open the vCard. This means that the attacker would need to persuade or entice the recipient into opening it.

Would the vCard open when the recipient read the mail it was attached to? 
No. The recipient would need to first open the mail, then open the vCard, in order for the vulnerability to be exploited. It's worth reiterating that security best practices recommend against ever opening an untrusted e-mail attachment. This not only means that it's a bad idea to open an attachment that's sent to you from someone you don't know, but also that it's a bad idea to open an attachment from someone you do know, if the circumstances of the e-mail seem unusual.

Suppose the recipient dragged the vCard into his Contacts folder without opening it. Would this pose a risk? 
Yes. The component containing the flaw is executed when a vCard is copied to the Contacts folder.

Could someone accidentally create a vCard that exploits this vulnerability? 
No. A vCard of this type could only be created by carefully modifying a legitimate vCard using a hexadecimal editor.

Why is the patch specified in terms of the version of IE that's on the machine, rather than the version of OE or Outlook? 
Let's start with why the patch isn't specified in terms of the version of Outlook on the machine. As we discussed above, the component that's responsible for the vulnerability ships as part of OE, and is shared by Outlook. As a result, the version of Outlook that's on the machine hasn't any bearing on the version of the patch that's needed - it's the version of OE that's important.
Now let's address why the patch isn't specified in terms of the version of OE. If OE were guaranteed to be present on every user's system, it would make sense to do this. But OE isn't always present. OE ships and is installed by default as part of IE, so it's on the vast majority of users' systems, but it is still possible to de-select it at installation time. If the owner of such a system installed Outlook onto the machine, Outlook would find that the needed component wasn't present on the machine, and would install the version of the OE component corresponding to the version of IE that's on the machine. (Outlook also upgrades the version of IE in some cases). Thus, it's the version of IE, not the version of OE or Outlook, that determines the right version of the patch that needs to be installed.

How do I tell what version of IE is on my system? 
Start IE, then select About Internet Explorer from the Help menu to see the version number.

Who should apply the patch? 
Any customer using Outlook Express or Outlook should apply the patch.

I'm using Outlook, but I de-selected OE at installation time. Do I need the patch? 
Yes. When Outlook is installed, it checks to see whether the needed OE components are present. If they aren't, Outlook installs them.

What does the patch do? 
The patch causes the affected component to truncate all inputs that are longer than the buffer that's designed to hold them.

Download locations for this patch

• http://www.microsoft.com/windows/ie/downloads/critical/q283908/default.asp

Note: As discussed in the FAQ, the patch is specific to the version of IE on the machine, rather than the version of either Outlook or Outlook Express.