Security Advisory : CT09-01-2007
Microsoft Outlook Advanced
Find - Remote Code Execution
Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook is a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar
and contact information.
As part of its standard offering, Outlook also includes an Advanced
Search facility (Finder.exe) enabling end-users to query any aspect
of their repository information.
Unfortunately, it transpires that Outlook/Finder is susceptible to
a remote Buffer overflow vulnerability, when processing the contents
of a specially crafted Office Saved Search (.oss) file.
2. TECHNICAL NARRATIVE
The issue in question stems from a simple oversight in the design of
an intrinsic string manipulation function, which attempts to copy
1024 bytes of user supplied Unicode content, to a pre-allocated buffer
of only 512 bytes (even though sufficient length checks are invoked).
As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
As with most file parsing vulnerabilities, the aforementioned issue
will require a certain degree of social engineering to achieve successful
However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons.
As such, end-users could be fooled into thinking the attachment is
a non-threatening mail forward.
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
5. DISCLOSURE ANALYSIS
12/05/2006 - Preliminary Vendor
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.
Total Time to Fix: 7 months 29 Days (243 days in total)
The vulnerability was discovered
by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Contact Us |