Security Bulletin

Microsoft Security Bulletin MS02-067 - Moderate

E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866)

Published: December 04, 2002

Version: 1.0

Originally posted: December 04, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Outlook 2002.

Impact of vulnerability:  Denial of Service

Maximum Severity Rating:  Moderate

Recommendation:  Customers should consider applying the patch.

Affected Software:

  • Microsoft Outlook 2002

End User Bulletin:  An end user version of this bulletin is available at: https:

General Information

Technical details

Technical description:

Microsoft Outlook provides users with the ability to work with e-mail, contacts, tasks, and appointments. Outlook e-mail handling includes receiving, displaying, creating, editing, sending, and organizing e-mail messages. When working with received e-mail messages, Outlook processes information contained in the header of the e-mail which carries information about where the e-mail came from, its destination, and attributes of the message.

A vulnerability exists in Outlook 2002 in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances. The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook 2002 client would again function normally.

Mitigating factors:

  • Outlook 2002 clients connecting to e-mail servers using the MAPI protocol are not affected. Only Outlook 2002 clients using POP3, IMAP, or WebDAV protocols are vulnerable.
  • The vulnerability does not affect Outlook 2000 or Outlook Express.
  • The vulnerability is a denial of service vulnerability only. The attacker would not be able to access the user's e-mail or system in any way. The vulnerability could not be used to read, delete, create, or alter the user's e-mail.
  • If an attacker was able to send a specially malformed e-mail that successfully exploited this vulnerability, the specially malformed e-mail could be deleted either by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express. Once the specially malformed e-mail has been removed, normal operation would resume.

Severity Rating:

Outlook 98 None
Outlook 2000 None
Outlook 2002 Moderate
Outlook Express None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-1255

Tested Versions:

Microsoft tested Outlook 98, Outlook Express, Outlook 2000, and Outlook 2002 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause a user to be unable to use Outlook 2002 to access their e-mail. The vulnerability could not be used by an attacker to access the user's e-mail or system in any way, nor does it pose any risk to e-mail servers. The only effect of a successful attack would be the failure of Outlook 2002 when the user attempted to access the e-mail server. Removing the specially malformed e-mail message from the e-mail server would return the Outlook client to normal operation.

What causes the vulnerability?
The vulnerability results because of a flaw in the way Outlook 2002 processes e-mail header information. Processing an email with a particular type of malformed header could cause Outlook 2002 to fail.

What is Outlook?
Microsoft Outlook, which ships as part of Microsoft Office, provides users with the ability to work with e-mail, contacts, tasks, and appointments. Using Outlook for handling e-mail includes the ability to receive, display, create, edit, send, and organize e-mail messages.

What's an e-mail header?
E-mail servers and clients need information that tells them how to process incoming and outgoing e-mails. This information is provided within the e-mail through header fields. Examples of the type of information contained in e-mail header fields include the sender's and receiver's addresses, the time at which the mail was sent, and the name of the mail server that received the mail.

What's wrong with the way Outlook 2002 handles e-mail headers?
In the vulnerability at issue here, Outlook 2002 doesn't correctly process a certain type of invalid information that could be contained in a header field. If an Outlook 2002 client attempted to access an e-mail message containing the specially malformed information using POP3, IMAP, or WebDAV as the access protocol, the Outlook client would fail.

What are the POP3, IMAP, and WebDAV protocols?
POP3 (defined in RFC 1939), IMAP (defined in RFC 2060), and WebDAV (defined in RFC 2518) are protocols that can be used to access e-mail servers to send and receive mail. If your e-mail server is on an Internet Service Provider's server, you are likely using POP3 or IMAP to access your e-mail. WebDAV is a set of extensions to the HTTP protocol and is used by Outlook clients when accessing Hotmail. Another protocol, MAPI, is commonly used by enterprise's for their e-mail systems. However, systems using MAPI are not affected by this vulnerability.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause a user to be unable to access their e-mail using Outlook 2002. The Outlook 2002 client could continue to fail until corrective action has been taken, usually by the e-mail administrator.

How might an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by sending a specially malformed e-mail message to a user who uses Outlook 2002 to access an e-mail server via the POP3, IMAP, or WebDAV protocol. Upon connecting to the server and processing the email, the Outlook client would fail. The user would be unable to access e-mail on the e-mail server until the specially malformed e-mail message is removed.

Why might Outlook 2002 continue to fail as long as the specially malformed e-mail remains on the e-mail server?
If the specially malformed e-mail message remains on the e-mail server, the Outlook 2002 client would fail each time it encountered the message.

Is this true even in the case of POP3 mail? In that protocol, the mail resides on the client once it's been read, so why would the mail need to be deleted from the server?
When Outlook downloads mail from a POP3 server, it converts it during the download into another format, known as MAPI. The vulnerability lies in the code in Outlook 2002 that effects this conversion. As a result, if an Outlook 2002 client attempted to download an attacker's mail from a POP3 server, the POP3-to-MAPI conversion would fail and the mail would not be removed from the server. As a result, even in the POP3 case, normal processing would require deleting the mail from the server

Who could exploit the vulnerability?
This vulnerability could be exploited by any attacker who could craft and send the specially malformed e-mail message

Would the vulnerability enable the attacker to read e-mail on the server?
No. Even if an attacker were able to successfully exploit this vulnerability, no e-mail messages would be lost or compromised.

What would the user need to do to restore normal operation?
To restore normal operation, the specially malformed e-mail would need to be removed from the e-mail server. There are two ways to do this:

  • the user could use another e-mail client such as Outlook Web Access or Outlook Express to delete the e-mail, or
  • an e-mail administrator could delete the e-mail.

Is Outlook 2000 affected?
The Gold version of Outlook 2000 is affected. However, Service Release 1, Service Pack 2, and Service Pack 3 all eliminate the vulnerability. Microsoft typically releases security patches only for the current service pack and the previous one; we do this because service packs are the best way to keep one's system secure. For instance, in the case of Outlook 2000, the service packs that have been delivered over the 3 years since Outlook 2000 Gold was released eliminate a large number of bugs, including several serious security vulnerabilities. The simplest and most effective way to eliminate all of them -- including this vulnerability -- is to stay up to date on service packs.

Is Outlook Express affected?
No. Outlook Express is not affected by this vulnerability.

Is Outlook 98 affected?
No. Outlook 98 is not affected by this vulnerability.

What does the patch do?
The patch addresses the vulnerability by correcting the flaw and causing Outlook 2002 to correctly process e-mails that contain the invalid header information described above.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

The patch can be applied to Office XP Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in any future Service Packs for Office XP.

Reboot needed: No

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation:

To verify the individual files, use the patch manifest provided in Knowledge Base article 331866.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Richard Lawley for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 331866 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (December 04, 2002): Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00 </https:>