Microsoft warns of new Outlook bug

Microsoft today warned that a bug in its Outlook and Outlook Express
Internet software could potentially render useless its "safe
computing" advice to help protect PCs against virus attacks.

Microsoft and other software sellers and security organizations have
long warned people that they should protect themselves against email
viruses by not opening attachments they are not expecting.

But under a potential exploit Microsoft described today, email
recipients wouldn't even have to open booby-trapped attachments or
the email message. Simply receiving the message from the email
server would be enough to trigger the damage.

A component distributed with Microsoft's Internet Explorer browser
and common to both the Outlook email software and Outlook Express
productivity software suite is vulnerable to a buffer overflow
exploit.

Said to be the most common software bug of the past 10 years, the
buffer overflow problem lies in the way fields respond to long
strings of data.

In this instance, the date field of Outlook email is vulnerable to a
buffer overflow attack, in which a bogus and extremely long date can
cause the application to crash and send excess characters--
potentially malicious code--into memory, where they can be executed.

Microsoft said it is working on patches that will protect against
the vulnerability, with patches available for some versions of IE
and the Windows operating system but not for others.

Microsoft said anyone who has installed IE 5.01 Service Pack 1 or IE
5.5 is already protected against the exploit, unless the computer
runs Windows...

http://dailynews.yahoo.com/h/cn/20000718/tc/microsoft_warns_of_new_ou
tlook_bug_4.html