* This is the vopmailbeta mailing list *
I'm reposting information that was sent to us a couple of weeks ago by Ronnie Franklin. Microsoft acknowledged there's a problem in the way that Outlook 2002 processes headers and created a patch: -----Original Message----- From: Microsoft [mailto:[EMAIL PROTECTED] osoft.com] Sent: Wednesday, December 04, 2002 9:49 PM Subject: Microsoft Security Bulletin MS02-067: E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866) -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866) Date: 04 December 2002 Software: Microsoft Outlook 2002 Impact: Denial of Service Max Risk: Moderate Bulletin: MS02-067 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS02-067.asp http://www.microsoft.com/security/security_bulletins/MS02-067.asp - ---------------------------------------------------------------------- Issue: ====== Microsoft Outlook provides users with the ability to work with e-mail, contacts, tasks, and appointments. Outlook e-mail handling includes receiving, displaying, creating, editing, sending, and organizing e-mail messages. When working with received e-mail messages, Outlook processes information contained in the header of the e-mail which carries information about where the e-mail came from, its destination, and attributes of the message. A vulnerability exists in Outlook 2002 in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances. The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook 2002 client would again function normally. Mitigating Factors: ==================== - Outlook 2002 clients connecting to e-mail servers using the MAPI protocol are not affected. Only Outlook 2002 clients using POP3, IMAP, or WebDAV protocols are vulnerable. - The vulnerability does not affect Outlook 2000 or Outlook Express. - The vulnerability is a denial of service vulnerability only. The attacker would not be able to access the user?s e-mail or system in any way. The vulnerability could not be used to read, delete, create, or alter the user?s e-mail. - If an attacker was able to send a specially malformed e-mail that successfully exploited this vulnerability, the specially malformed e-mail could be deleted either by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express. Once the specially malformed e-mail has been removed, normal operation would resume. Risk Rating: ============ - Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-067.asp for information on obtaining this patch. Acknowledgment: =============== - Richard Lawley Margot MacNutt Vircom Technical Support Phone: (514) 845-8474 Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Phil Hart" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 18, 2002 9:57 AM Subject: [VOPmail Beta] disappointment > * This is the vopmailbeta mailing list * > > > I just want to say this. I had a customer who couldn't get an email. > Check the msg file and it has a bad header, it has only part of a > header, and a ending . on a line by itself in the middle of the header. > Removed this message from their inbox and they can get mail fine. > I put the same message in my inbox and checked it. My client received > all my emails fine, didn't stop on the bad message, but never even > showed the bad message. All messages were removed from my inbox > directory, so I know it got it. I'm using Outlook 2002. > > I guess my point is it also has a lot to do with the client. I'd like > to do more testing with different clients, and I don't know what client > the original customer had. > > You may also be interested in this > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur > ity/bulletin/MS02-067.asp > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Administrator > Sent: Wednesday, December 18, 2002 6:18 AM > To: [EMAIL PROTECTED] > Subject: [VOPmail Beta] disappointment > > * This is the vopmailbeta mailing list * > > > firstly let me apologies if there has been a fix to this problem but I > don't > believe there has been > Sure I have an older version of vopmail, my understanding is that it has > not > been fixed in the new versions > > I have just lost another customer due to mail getting stuck and not > being > able to be retrieved > due to malformed headers spam whatever > > please advise if there has been a fix or when we can expect one > > > regards > > Tim > > > ** > To leave this list, send an email to [EMAIL PROTECTED] > and put the word "LEAVE" in the BODY of the email. > > > ** > To leave this list, send an email to [EMAIL PROTECTED] > and put the word "LEAVE" in the BODY of the email. > ** To leave this list, send an email to [EMAIL PROTECTED] and put the word "LEAVE" in the BODY of the email.
