What is the specific problem and what causes it?
When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email client to shut down unexpectedly. These very long filenames do not normally occur in mail or news messages, and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious email message to run arbitrary computer code contained in the long string. More information on this issue can be found at http://www.microsoft.com/security/bulletins/ms98-008.htm
How do I protect my computer from this issue?
Microsoft has provided software patches for both Outlook Express and Outlook 98. We strongly recommend that you download the appropriate patch immediately. The patch is very easy and quick to download. The download locations for the appropriate patch are noted in Microsoft Security Bulletin MS98-008, http://www.microsoft.com/security/bulletins/ms98-008.htm.
I heard that Microsoft has developed an updated patch. Is this true?
On July 27th Microsoft published a patch for Outlook 98 and Outlook Express 4.x that fixes the vulnerability reported to us by OUSPG. This vulnerability was caused by improper handling of file attachments with very long filenames in Outlook 98 and Outlook Express 4.x.
On August 11th, we posted an updated version of the patch. As part of our on-going security review process and analysis, we discovered a variant of the original vulnerability, which this updated patch addresses as well. This updated patch addresses all known issues in regard to the recent security issues.
Do people need to get both patches?
No. The updated patch posted on Aug 11th includes the original fix and also addresses a variant of the original vulnerability that was found during continued testing.
Does this patch fix all security problems with these products?
This updated patch addresses all known issues in regard to the recent security issues.
How and when did Microsoft find out about this issue?
We were notified of this issue by AUSCERT (http://www.auscert.org.au), OUSPG (http://www.oulu.fi/Welcome.html) and NTBugtraq (http://ntbugtraq.ntadvice.com) in July.
Can this bug happen or be exploited accidentally?
No. The long filename must be maliciously generated, and cannot happen accidentally.
I heard that this affects Outlook 98 and Outlook Express 4.x users differently. Can you please elaborate?
With Outlook 98, the crash could occur upon download of the message with the long filename attachment, whereas with Outlook Express the users would have to open or view the attachment before the error occurs.
How is Microsoft notifying users about this issue?
Microsoft continues to work proactively to communicate broadly with customers affected by this issue. The company sent an e-mail alert to all registered users of Outlook 98 and Outlook Express. Notification of this issue is also posted on the Microsoft Security Advisor Web site (http://www.microsoft.com/security) and was sent to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security/bulletin.htm for more information regarding this free customer service). To ensure the widest notification of customers visiting Microsoft Web sites, links to the security bulletins were provided from a number of key Microsoft sites, including the Microsoft.com home page. In addition, Microsoft has notified CERT, an industry security organization, which distributes security-related information to corporate, government and end-users.
How do users subscribe to the Microsoft Product Security Notification Service?
Information on how to subscribe to the service is available at http://www.microsoft.com/security/bulletin.htm. Subscribers will receive security notifications whenever we issue them.
Exactly what products are affected?
The following products are affected by this issue:
The following products are NOT affected by this issue:
© 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.