Outlook date header buffer overflow Remediation Resources

There are a number of issues with Microsoft's OutLook. This page primarily addresses a date header buffer overflow vulnerability.

From Microsoft:

" Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Outlook® and Outlook Express. Under certain conditions, the vulnerability could allow a malicious user to cause code of his choice to execute on another user's computer. "

The security bulletin can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-043.asp

From Microsoft Technet:

"The vulnerability results because a component used by both Outlook and Outlook Express contains an unchecked buffer in the module that interprets e-mail header fields when certain e-mail protocols are used to download mail from the mail server. This could allow a malicious user to send an e-mail that, when retrieved from the server using an affected product, could cause code of his choice to run on the recipient's computer."

The complete article can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq00-043.asp0

From SecurityFocus:

"This can also be achieved by encoding the specially formed GMT field as a MIME attachment in Outlook's MIME attached message format. This lends itself to the possibility of a myriad of exploits, such as the execution of trojan horses, the spread of worms, gaining user level access on the target host, etc. automatically without the email recipient's consent to open an attachment or run an executable. A user would only have to download an offending email in order to become susceptible to an attack."

The above is excerpted from additional information available at: http://www.securityfocus.com/bid/1481