You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.org> on 1998/07/27 21:01:27 UTC

Fwd: Microsoft Security Bulletin (MS98-008)

We might want to make sure there aren't any Win32 DoS attacks, or even
security holes, associated with asking os_canonical_filename to resolve
really realy long paths.

	Brian

>Date:	Mon, 27 Jul 1998 11:53:38 -0500
>From:	Aleph One <al...@DFW.NET>
>Subject:      Microsoft Security Bulletin (MS98-008)
>To:	BUGTRAQ@NETSPACE.ORG
>
>---------- Forwarded message ----------
>Date: Mon, 27 Jul 1998 09:22:22 -0700
>From: Microsoft Product Security Response Team <se...@MICROSOFT.COM>
>To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
>Subject: Microsoft Security Bulletin (MS98-008)
>
>Microsoft Security Bulletin (MS98-008)
>--------------------------------------
>
>Update Available For Long Filename Security Issue affecting Microsoft
>Outlook 98 and Microsoft Outlook Express 4.x
>
>Last Revision: July 27, 1998
>
>Summary
>=======
>Recently Microsoft was notified by AUSCERT (http://www.auscert.org.au),
>OUSPG (http://www.oulu.fi) and NTBugtraq (http://ntbugtraq.ntadvice.com) of
>a security issue affecting the way Microsoft email clients handle file
>attachments with extremely long file names. When a user attempts to
>download, open or launch a file attachment that has a name greater than a
>certain number of characters, the action might cause the client to shut down
>unexpectedly. Once the client has crashed, a skilled hacker could possibly
>run arbitrary code in the computer's memory.
>
>The purpose of this bulletin is to inform Microsoft customers of this issue,
>its applicability to Microsoft products, and the availability of
>countermeasures Microsoft has developed to further secure its customers.
>
>Issue
>=====
>This issue can cause one of the following to occur when attempting to
>download, launch or view a file attachment in Microsoft Outlook 98 or
>Microsoft Outlook Express that has a name that is greater than a certain
>number of characters:
>
>1. An error message similar to the following may be displayed:
>   This program has performed an illegal operation and will be shut down.
>   If the problem persists, contact the program vendor.
>
>2. Outlook 98 or Outlook Express may terminate unexpectedly.
>
>It is difficult but possible for an individual to cause malicious code to be
>executed on your computer as a result of this problem. There have not been
>any reports of customers being affected by this problem.
>
>Specific Details
>================
>Outlook 98
>----------
>When Outlook 98 attempts to download a message with a file attachment that
>has a filename greater than a certain length, Outlook could terminate
>unexpectedly. The user does not have to open the attachment in order for
>this to occur.
>
>This issue will only occur if Outlook 98 is installed with an Internet Mail
>Only configuration, or with an Internet Mail service in the
>Corporate/Workgroup configuration.
>
>When the user attempts to open an attachment in the Outlook 98 newsreader
>and the attachment has a filename longer than a certain number of
>characters, the client could crash. (see Workaround for the newsreader
>below)
>
>Outlook Express
>---------------
>When the user attempts to open an attachment in Outlook Express mail or news
>client and the attachment has a filename longer than a certain number of
>characters, the client could terminate unexpectedly. (see Workaround below)
>
>Affected Software Versions
>==========================
>   * Outlook 98 on Windows '95, Windows '98 and Windows NT, when
>   configured for Internet Mail Only OR Corporate/Workgroup support
>   with an Internet Mail service.  Outlook 97 and Outlook for
>   Macintosh, Microsoft Exchange Server Edition are not affected by
>   this issue.
>
>   * Outlook Express included with Internet Explorer 4.0, 4.01 & 4.01
>   with Service Pack 1 on Windows '95, Windows '98 and Windows NT
>
>   * Outlook Express included with Internet Explorer 4.01 on Solaris.
>
>   * Outlook Express included with Internet Explorer 4.01 on the Macintosh.
>
>   * Outlook Express 4.01 for Windows 3.1 is not affected by this issue.
>
>
>What Microsoft is Doing
>=======================
>Microsoft has posted an update that protects customers against a potential
>problem involving file attachments with extremely long names.
>
>To get the update for Microsoft Outlook 98 for Windows '95, Windows '98 &
>Windows NT, see http://support.microsoft.com/support/msfe.
>1. On the Microsoft File Exchange page, click "Click Here to Receive a
>   file from a Microsoft Technical Support engineer via your web browser."
>2. On the "Receiving Files From MFSE" page, type OLMIME in the box, and
>   click Continue
>3. The name of the file is outpatch.exe
>
>This patch will work for all language versions of Microsoft Outlook 98.
>
>If you use the Outlook 98 newsreader, you must also install the update for
>Outlook Express noted below.
>
>Microsoft Outlook Express 4.0 users
>-----------------------------------
>If you are using Outlook Express 4.0 that comes with Internet Explorer 4.0,
>you must upgrade to Internet Explorer 4.01 in order to apply this update.
>You can upgrade to Internet Explorer 4.01 with Service Pack 1 at the
>following location: http://www.Microsoft.com/ie
>
>To get the update for Microsoft Outlook Express 4.01 for Windows '95,
>Windows '98 & Windows NT, see
>http://www.microsoft.com/ie/security/oelong.htm
>
>The update for Microsoft Outlook Express 4.01 for the Macintosh & Solaris
>will be released shortly, please visit http://www.Microsoft.com/security for
>updated information.
>
>What customers should do
>========================
>Microsoft recommends that customers using Internet Explorer 4.0 immediately
>upgrade to Internet Explorer 4.01 and then apply the update. Customers using
>Outlook '98  & Internet Explorer 4.01 can directly apply the appropriate
>update.
>
>Administrative workaround
>=========================
>Customers who cannot apply the hot fix to Outlook Express can use the
>following workaround to temporarily address this issue:
>
>For Outlook Express
>-------------------
>Customers who get attachments in e-mail should NOT click on the attachment.
>They should save the attachment to their hard drive and then view the
>attachment using the Windows Explorer. To save the attachment the user
>should:
>   1. Select Save Attachment from the File Menu.
>   2. Choose the attachment name from the pop up menu and save to a hard
>drive.
>   3. Bring up the Windows Explorer and view the attachment on the hard
>drive.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
>
>   * Microsoft Security Bulletin 98-008, Update Available For Long
>     Filename Security Issue affecting Microsoft Outlook 98 &
>     Microsoft Outlook Express 4.x (the web-posted version of this
>     bulletin), http://www.microsoft.com/security/bulletins/ms98-008.htm
>
>   * Microsoft Internet Explorer Security Web Site,
>     http://www.microsoft.com/ie/security
>
>Revisions
>=========
>July 27, 1998: Bulletin Created
>
>For additional security-related information about Microsoft products, please
>visit http://www.microsoft.com/security
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
>IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 1998 Microsoft and/or its suppliers. All rights reserved.
>For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.
>
>
>          =====================================================
>You have received  this e-mail bulletin as a result  of your registration
>to  the   Microsoft  Product  Security  Notification   Service.  You  may
>unsubscribe from this e-mail notification  service at any time by sending
>an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For  more  information on  the  Microsoft  Security Notification  Service
>please    visit    http://www.microsoft.com/security/bulletin.htm.    For
>security-related information  about Microsoft products, please  visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.
> 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Common sense is the collection of prejudices  |     brian@apache.org
acquired by the age of eighteen." - Einstein   |  brian@hyperreal.org

Re: Fwd: Microsoft Security Bulletin (MS98-008)

Posted by Marc Slemko <ma...@worldgate.com>.

On Mon, 27 Jul 1998, Brian Behlendorf wrote:

> 
> We might want to make sure there aren't any Win32 DoS attacks, or even
> security holes, associated with asking os_canonical_filename to resolve
> really realy long paths.

I really think this just looks like your standard userland buffer
overflow caused by lack of bounds checking...

If it is anything more, that would be horribly lame and the OS should be
the thing being patched.