July 19, 2000
3:18 PM   Subscribe

Sorry, this link was ultimately by way of /.

To summarize:

This vulnerablilty takes advantage of a buffer in the mail header. Because Outlook and Outlook Express don't make sure the data can fit in their buffers, by breaking the limits they've set, unauthorized commands can be executed on your computer.

Update information, etc., available by following the link.

One of the most interesting aspects of it is that Microsoft acknowledged the vulnerability on June 11th, well over a month ago, and there isn't even a real patch out yet.
posted by cCranium at 3:22 PM on July 19, 2000

cCranium, where'd you get the June 11th date?

Users note: if you have IE 5.5 installed (except on Windows 2000) or IE 5.01 SP1, you're in the clear. Also if you aren't using Outlook for internet mail (POP or IMAP) you're okay.
posted by daveadams at 3:29 PM on July 19, 2000

You would have to be a complete fool to trust Outlook Express, which is why I use another Windows based e-mail program I won't mention. I get more and more disgusted with Microsoft by the day because they make the most bloated and poorly designed software I've ever seen. The devil himself could not have come up with more fiendish software!"why make 31 flavors when you can't get vanilla right?"Please, please, please someone help me learn Linux before I go insane!
posted by Mr. skullhead at 3:42 PM on July 19, 2000

daveadams: sorry, forgot another link, originally in the /. post:

"MSNBC.com posted by cCranium at 6:18 PM on July 19, 2000

aw crap.

posted by cCranium at 6:20 PM on July 19, 2000

Thank the stars for the Mac.
posted by lileks at 11:07 PM on July 19, 2000

As obvious as the buffer-overflow bug should be, somehow companies (especially companies based in Redmond, WA) keep writing mail clients with buffer overflow bugs.
posted by dhartung at 11:19 AM on July 20, 2000

>Thank the stars for the Mac

because Mac programs never have buffer overflows apparently.

Thank the stars for Java.

posted by lagado at 10:06 PM on July 20, 2000

somehow companies (especially companies based in Redmond, WA) keep writing mail clients with buffer overflow bugs

Yeah, you rarely hear of any other companies or development groups with buffer overflow bugs.

That was sarcasm. Sure it's a very common bug. Probably because it's easy to do and hard to discover.
posted by daveadams at 9:18 AM on July 21, 2000

And you certainly don't see half the bugtraq root vulnerabilites on NT, Linux, *BSD, any Unix or any other operating system being buffer overflows, either!

Yeah, Microsoft's the Evil Empire, but a buffer overflow buried somewhere inocuous is near-impossible to find. Sure, Microsoft made the mistake, but it's been what, 4 or 5 years since Outlook was first released (more? I don't know) and it's only being revealed now.

If you want to get your Anti-Microsoft jollies off, pick on 'em about sitting on the bug while they polished off IE5.5, so they could say "Oh, just upgrade to IE5. That'll clear up the problem."
posted by cCranium at 10:28 AM on July 21, 2000

IE 5.01 SP1 also fixed the problem, and it's been out for a while longer than IE 5.5. It's got to take a long time to go back and patch all those old versions of software. I imagine it's easier to do it in the new version.
posted by daveadams at 12:21 PM on July 21, 2000

daveadams: You're right, obviously. But MS still sat on the bug until after IE 5.5 was released.

They probably would've sat on it longer, until they got around to making an actual patch rather than an upgrade I guess, except someone posted it to Bugtraq.

I'm not bashing Microsoft here, I got tired of doing that personally long ago. Reading the /. comments pretty much filled me up on it. I just want to make sure the MeFIites are slamming Microsoft for the right reasons, that's all. :-)
posted by cCranium at 2:45 PM on July 21, 2000