Bounds checking is for losers.
The problem lies in how Outlook and Outlook Express handles the parsing of the GMT section of the date field in the header of an email. This process is handled by INETCOMM.DLL. Improper bounds checking exists on the token represented by GMT. Therefore, if a malicious user was to send a specially crafted email message containing an unusually long value in the GMT specification, the buffer would be overflowed making arbitrary code execution possible.
...
In Outlook Express, a user would merely have to open a folder containing a malicious email in order to become vulnerable. Outlook users are vulnerable if they preview, read, reply, or forward an offending email. The only exception to exploitation is under Outlook if a user deletes or saves the email to disk.
Leave a comment