|
[Use your browser's BACK button to return to the PRIME FAQ Page or click here if you came directly to this page.]
We wrote this FAQ to answer the many questions we receive on this topic from our clients and other inquiring minds in the many electronic communities we frequent.
These patches resolve a coding error (not properly checking for out-of-bounds conditions, something that any Programming 101 graduate should religiously adhere to) that created a vulnerability in these email readers. The vulnerability: if you download (in Outlook 98) or open (in Outlook Express) an attachment to an email, AND the attachment has a long filename of 200 or more characters, that COULD generate an out-of-bounds condition crashing the email reader, at which point malicious code (if it was in place) COULD run, having been placed just beyond the vulnerable long filename character position. Okay. We believe the real-world probability of such an occurrence is almost zero (just look at all the things that have to happen concurrently to expose the vulnerability), but not exactly zero. So you have several choices.
If you're using Outlook 98 or Outlook Express as your email client, you can get an email client that isn't susceptible to this issue (like Pegasus or Eudora), or you can install the patches. The latter operation takes all of 20 minutes or so, depending on the speed of your Internet connection; note that if you never ran the first patches, that's okay, you only need to run the second patches. In carefully observing what took place during the first patch cycle, we noticed some serious documentation gaffes and patch misbehaviors that we documented in the earlier version of this FAQ and The Naked PC #1.4. We have repeated those careful, empirical tests and although Microsoft heeded some of our suggestions, a few glitches remain. In this updated FAQ we report on the problems we observed with the first patches, what Microsoft has (and hasn't) fixed, and the problems we observed with the second patches. We wrote this article as a single-source manual for those of you who decide to install these patches.
Do keep in mind that so far there are exactly zero (none, zip, nada, nil) known data fatalities from this issue. Microsoft released the initial set of patches on July 27th but found that their fix did not completely correct the problem and so released a second set of patches on August 11th. Microsoft reports, "The updated patches now available addresses (sic) the original security issue as well as a variant of that issue that was found during continued testing."
The following table shows version number information of the most recent releases of these two applications, before and after the first and second patches. The executable files you use to launch these applications are not the files being patched; that is, neither Outlook.exe nor Msimn.exe change as a result of the patches. In the case of Outlook Express, the most current pre-patch version is occasionally referred to by Microsoft -- confusingly -- as "Outlook Express 4.01 (SP1)," the real version number being 4.72.3110.5.
In the table's Techniques column: "Help / About" means to run the application and select Help / About and look at the version number in the resulting dialog box. To see the version numbers for the DLL files listed, use Windows Explorer: find the file (Tools / Find / Files or Folders) then right-click the file, choose Properties, and click the Version tab. Outlmime.dll is typically in C:\Program Files\Microsoft Office\Office. Msimnui.dll is typically in C:\Program Files\Outlook Express. Wab32.dll is typically in C:\Program Files\Common Files\System. Inetcomm.dll is usually in C:\Windows\System. "P1" refers to patch 1, "P2" to patch 2.
| Product | Technique | Before P1 | After P1 |
| Outlook 98 | Help / About | 8.5.5104.6 | 8.5.5104.6 |
| Outlook 98 | Outlmime.dll | 4.71.2173.0 | 4.71.2232.26 |
| Outlook Express | Help / About | 4.72.3110.5 | 4.72.3115.0 |
| Outlook Express | Msimnui.dll | 4.72.3110.5 | 4.72.3115.0 |
| Product | Technique | Before P2 | After P2 |
| Outlook 98 | Help / About | 8.5.5104.6 | 8.5.5603.0 |
| Outlook 98 | Outlmime.dll | 4.71.2232.26 | 4.71.2377.0 |
| Outlook Express | Help / About | 4.72.3115.0 | 4.72.3120.0 |
| Outlook Express | Msimnui.dll | 4.72.3115.0 | 4.72.3120.0 |
| Outlook Express | Wab32.dll | 4.72.3110.1 | 4.72.3155.0 |
| Outlook Express | Inetcomm.dll | 4.72.3110.3 | 4.72.3155.0 |
It's annoying that in the case of the original patch the Microsoft Knowledge Base article "OL98: Update Available for Outlook 98 Security Issue" (Q175807) failed to explain what Outlook 98 version number changes to look for. We're happy to inform you that, based on our reporting this documentation oversight to Microsoft management, Microsoft updated its Knowledge Base, at least in part. Their article now reports the updated Outlook 98 Help / About version number, but still omits the patched filename.
The Microsoft Knowledge Base article "OE: Update Available For Outlook Express Security Issue" (Q168019) does explain, as it did in the case of the original patch, what Outlook Express file and version number changes to look for.
Here are the addresses for these two articles:
http://support.microsoft.com/support/kb/articles/q175/8/07.asp
http://support.microsoft.com/support/kb/articles/q168/0/19.asp
The Outlook 98 second patch behaved as expected and, unlike its predecessor, does update the version number it displays in its Help / About dialog box. We're glad to see Microsoft took our criticism of that inconsistency to heart and fixed it this time around.
The Outlook Express second patch ran as expected, however... Microsoft wisely used a different name for the Outlook 98 second patch (Outptch2.exe versus Outpatch.exe). Confusingly, they decided to use the SAME name for the Outlook Express 4.01 SP1 second patch and the corresponding first patch (Oepatsp1.exe). Ditto for the Outlook Express 4.01 (not SP1) patches (both named Oepat401.exe). This unnecessary confusion is unfathomable.
We've informed Microsoft product management of these additional problems.
Here are the second patch filenames, their download sizes, and additional useful information:
Outlook 98 second patch:
Outlook Express second patch:
For more information about Microsoft's take on this file attachment security issue, see: http://www.microsoft.com/security/
Also affected by this issue are the email readers in Netscape Communicator versions 4.0-4.05 (Win3.1, Win9x, and WinNT), and Communicator 4.5 Preview Release 1 (Win9x and WinNT). You can download Communicator 4.06, or a new version of Communicator 4.5 Preview Release 1, both of which fix this bug. For more information see:
http://home.netscape.com/products/security/resources/bugs/longfile.html
Moral of the story: when patching, always carefully study the manufacturer's documentation about what to look for as empirical proof the patch succeeded. Then do that examination after running the patch.
|
Return to Top