Outlook contains 'gaping' security hole

Microsoft has warned that Outlook and Outlook Express users could become infected by email viruses before they open or preview infected messages.

The vulnerability is particularly serious because an infection can take place at the point when the email is being downloaded from the server, rather than when an infected email is opened - the method used in the spread of some of the most deadly viruses yet, including the LoveLetter virus.

All Outlook users on Windows 2000 are affected, as are users of Outlook Express bundled with Internet Explorer (IE). Microsoft recommends that users upgrade to either IE 5.01 service pack 1 or IE 5.5 in order to protect themselves against the vulnerability. It is also working on patches to Outlook and Outlook Express that do not involve a full version upgrade.

In a security notice, Microsoft admitted that Outlook is vulnerable to buffer overflows which could be exploited to allow an attacker to cause an email client to either crash or run malicious code.

"Such code could take any action that the user was authorised to take on the machine, including reformatting the hard drive, communicating with an external website, or changing data on the computer," said Microsoft.

The cause of the problem is that a component shared by Outlook and Outlook Express contains an unchecked buffer that parses email headers when downloading mail via either POP3 or IMAP4. A bogus and extremely long date field can cause an Outlook email client to crash and send excess data, which could be malicious code, into portions of memory where it might then be executed.

"The danger in this vulnerability is that the buffer overrun would occur even if the user does not open or preview the email message," according to Argentinian security firm Underground Security Systems Research, which discovered the vulnerability.

"The new generation of virus is here. By sending a malformed email you can run arbitrary code on a remote machine," the company added.

Jack Clark, European product manager for Network Associates, said: "This looks like a gaping hole in Microsoft's security, but it is not yet connected with threats you can't deal with using antivirus software."

Neil Barrett, technical director of Information Risk Management, said: "If the core component of Outlook, an established and frequently updated Microsoft product, is subject to buffer overflows, we can only expect a lot more buffer overflows to come."

Despite the fact that Windows 2000 users will need to wait for the forthcoming Service Pack 1 to be protected from the problem, Microsoft is seeking to reassure its users. On other platforms a default installation of either IE 5.01 Service Pack 1 or IE 5.5 would protect users from the problem.

Microsoft also pointed out that the problem does not affect the Messaging Application Programming Interface protocol, used by default when Outlook is used with Microsoft Exchange Server.