[Am-info] Microsoft Outlook Express DOS Device Denial of Service Vulnerability
Fred A. Miller
fm@cupserv.org
Mon, 6 May 2002 09:04:50 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Outlook Express DOS Device Denial of Service Vulnerability
BugTraq ID: 4584
Remote: Yes
Date Published: Apr 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4584
Summary:
A denial of service issue has been reported in Microsoft Outlook Express.
Reportedly, this issue occurs if an HTML email message with a URL pointin=
g
to a non-existent DOS-device (CON, AUX, PRN, NUL), is embedded in the
BGSOUND or IFRAME tag. Upon the user opening the mail message, Outlook
Express will consume 100% CPU usage.
Either the process is ended via the Task Manager or a system restart is
required in order to regain normal functionality.
It has also been reported that the offending message cannot be deleted
from the user's mailbox. If this is the case, re-installation of Outlook
Express may be required.
This issue may be the result of an unchecked buffer. If this is the case,
there is a possibility that arbitrary code may be executed on the
vulnerable target. However, this has not yet been confirmed.
- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjzWf3IACgkQB9vk4ichYXcaOgCfZEesy0Adq8kQAa4xDfq12hPk
FwgAn1mjmDOSRuNhjwe6oVsujYWM++QP
=3DR6pY
-----END PGP SIGNATURE-----