A new exploit against Microsoft Outlook and Outlook Express was recently published on a security mailing list by an individual. It was later claimed from the poster that this posting was an error. Nevertheless - the information was now available.

It turned later that this exploit was reported to Microsoft by the South American based USSR Labs (Underground Security Systems Research) on 3 July and that USSR Labs had agreed with Microsoft to not release the exploit until a fix was ready.

Few hours after the exploit was made public, Microsoft released information about how to avoid being vulnerable (see below).

Even though no incidents which utilize this exploit have been reported so far, the exploit should be considered severe.

The exploit

This is a potentially very serious security hole.

It turns out that by sending an email with a malformed header, it is possible to crash the email client or even run arbitrary code on the computer receiving the email. The recipient does not have to open or preview this email. The exploit takes effect when the email is downloaded from the mail server even before it reaches the Inbox.

Interestingly, if the client crashes, it will try to download the email from the server the next time it starts, causing a new crash (and so on). The malicious email has to be deleted from the server to avoid this.

Systems vulnerable to this exploit are:

• Users of Outlook 97, 98, 2000
• Outlook Express version 4.0, 4.01, 5.0 and 5.01

unless you have installed Internet Explorer 5.01 Service pack 1 or Internet Explorer 5.5 (and is not running Windows 2000), or you have configured Outlook to run MAPI services only.

How to avoid being vulnerable

Microsoft has released Security Bulletin MS00-043 about this “Malformed E-mail Header" Vulnerability.

Currently the only way to avoid being vulnerable appears to install either Internet Explorer 5.01 SP1 or Internet Explorer 5.5 in such a way that Outlook Express components are upgraded (default). Users running Windows 2000 with Internet Explorer 5.5 have to remove this (Control Panel -> Add/Remove Programs) and install Internet Explorer 5.01 SP 1.

Microsoft has announced the availability of separate patches to eliminate the vulnerability "shortly". The above mentioned Security Bulletin will then be updated.

You may also be interested in reading

• Microsoft's Frequently Asked Questions about Security Bulletin MS00-043

Update 21 July 2000

Microsoft has reissued the abovementioned Security Bulletin (and FAQ), and patches for this vulnerability are now available for downloads from Microsoft's web site. Follow the link to the Security Bulletin to download or go directly to the download page.

Per Olav Førland