Microsoft Security Bulletin MS04-018 - Cumulative Security Update for Outlook Express (823353)

[Emily F [MSFT]]

MS04-018 - Cumulative Security Update for Outlook Express (823353)
http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx

Microsoft Security Bulletin MS04-018
Cumulative Security Update for Outlook Express (823353)

Issued: July 13, 2004
Version: 1.0
Executive Summary:
This update resolves a public vulnerability. A denial of service
vulnerability exists in Outlook Express because of a lack of robust
verification for malformed e-mail headers. The vulnerability is documented
in the Vulnerability Details section of this bulletin. This update also
changes the default security settings for Outlook Express 5.5 Service Pack 2
(SP2). This change is documented in the Frequently Asked Questions related
to this security update section of this bulletin.
If a user is running Outlook Express and receives a specially crafted e-mail
message, Outlook Express would fail. If the preview pane is enabled, the
user would have to manually remove the message, and then restart Outlook
Express to resume functionality.
We recommend that customers consider applying the security update.
Summary
Who should read this document: Customers who use Microsoft® Outlook Express®
Impact of Vulnerability: Denial of Service
Maximum Severity Rating: Moderate
Recommendation: Customers should consider applying the security update.
Security Update Replacement: This bulletin replaces MS04-013: Cumulative
Update for Outlook Express and any prior Cumulative Security Updates for
Outlook Express.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a
..Microsoft Windows NT Server 4.0 Service Pack 6a
..Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
..Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack
3, Microsoft Windows 2000 Service Pack 4
..Microsoft Windows XP and Microsoft Windows XP Service Pack 1
..Microsoft Windows XP 64-Bit Edition Service Pack 1
..Microsoft Windows XP 64-Bit Edition Version 2003
..Microsoft Windows ServerT 2003
..Microsoft Windows Server 2003 64-Bit Edition
..Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of this
bulletin for details about these operating systems.

Affected Components:
..Microsoft Outlook Express 5.5 Service Pack 2: Download the Update
..Microsoft Outlook Express 6: Download the Update
..Microsoft Outlook Express 6 Service Pack 1: Download the Update
..Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition): Download the
Update
..Microsoft Outlook Express 6 on Windows Server 2003: Download the Update
..Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition):
Download the Update

The software in this list has been tested to determine if the versions are
affected. Other versions either no longer include security update support or
may not be affected. To determine the support lifecycle for your product and
version, visit the following Microsoft Support Lifecycle Web site.

 

[=?iso-8859-2?Q?Ivan_B=FAtora?=]

Interestingly enough, the vulnerability discussed in this bulletin is not considered critical for Windows 98 systems, but the patch is being offered for Windows 98 as well, unlike the updates from MS04-024, MS04-016 and other bulletins from earlier in the year, where Windows 98/98SE/Me were affected, but not critically.

Also, for those using WAB:

---begin quote from MS04-018 FAQ---
Does this update contain any other changes to functionality?
Yes. In addition to the change that is listed in the Vulnerability Details section of this bulletin, this update includes the following changes in functionality:
.. Sets Outlook Express 5.5 SP2 to view HTML e-mail messages in the Restricted Sites zone.
.. Fixes a behavior that was introduced in MS03-014 where Outlook Express 6 SP1 and later creates a copy of the Windows Address Book in a predictable location with a file name of "~". After you install this update, Outlook Express will no longer create this copy of the Windows Address Book in a predictable location.
---end quote---

Wonder if this means that the "~" problem is gone, or if it only means that now the "~" will be found in several unpredictable locations rather than one predictable locations.

BTW, why is it that the download (OE 6 SP1) is so large (1950 KB)? Did the "~" problem really affect so many different OE files? (Note that there is no security issue fixed with this patch for OE 6 SP 1).

 

[PA Bear]

IIRC the automatic backup of Address Book will now be found with a .WAB~
extension, Ivan. "Mysterious Tilde File" is history after installing
MS04-018.

This update supersedes (replaces) Q837009 (MS04-013) and Q330994.

The download is large because the files updated are large:

Date Time Version Size File name
--------------------------------------------------------------
03-Mar-2003 23:57 6.0.2800.1123 75,776 Directdb.dll
07-Jun-2004 21:19 6.0.2800.1441 596,480 Inetcomm.dll
11-Oct-2002 22:08 6.0.2800.1123 47,616 Inetres.dll
03-Mar-2003 23:57 6.0.2800.1123 44,032 Msident.dll
03-Mar-2003 23:57 6.0.2800.1123 56,832 Msimn.exe
26-May-2004 21:26 6.0.2800.1437 1,175,040 Msoe.dll
03-Mar-2003 23:57 6.0.2800.1123 228,864 Msoeacct.dll
11-Oct-2002 22:09 6.0.2800.1123 2,479,616 Msoeres.dll
03-Mar-2003 23:57 6.0.2800.1123 91,136 Msoert2.dll
03-Mar-2003 23:57 6.0.2800.1123 93,184 Oeimport.dll
03-Mar-2003 23:57 6.0.2800.1123 55,808 Oemig50.exe
03-Mar-2003 23:57 6.0.2800.1123 31,744 Oemiglib.dll
03-Mar-2003 23:57 6.0.2800.1123 42,496 Wab.exe
24-Jun-2004 21:26 6.0.2800.1450 463,360 Wab32.dll
03-Mar-2003 23:57 6.0.2800.1123 30,208 Wabfind.dll
03-Mar-2003 23:57 6.0.2800.1123 77,824 Wabimp.dll
03-Mar-2003 23:57 6.0.2800.1123 27,648 Wabmig.exe

The above is for Windows XP, Windows XP SP1, Windows 2000 SP3, Windows 2000
SP4, and Windows NT 4.0 SP6a w/out either Q837009 or Q330994 installed.

 

[PCR]

Eee-Yow, three of them!! You will drive Colorado mad! He has forsworn
all Windows Updates!

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| MS04-018 - Cumulative Security Update for Outlook Express (823353)
| http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx
|
| Microsoft Security Bulletin MS04-018
| Cumulative Security Update for Outlook Express (823353)
|
| Issued: July 13, 2004
| Version: 1.0
| Executive Summary:
| This update resolves a public vulnerability. A denial of service
| vulnerability exists in Outlook Express because of a lack of robust
| verification for malformed e-mail headers. The vulnerability is
documented
| in the Vulnerability Details section of this bulletin. This update
also
| changes the default security settings for Outlook Express 5.5 Service
Pack 2
| (SP2). This change is documented in the Frequently Asked Questions
related
| to this security update section of this bulletin.
| If a user is running Outlook Express and receives a specially crafted
e-mail
| message, Outlook Express would fail. If the preview pane is enabled,
the
| user would have to manually remove the message, and then restart
Outlook
| Express to resume functionality.
| We recommend that customers consider applying the security update.
| Summary
| Who should read this document: Customers who use Microsoft® Outlook
Express®
| Impact of Vulnerability: Denial of Service
| Maximum Severity Rating: Moderate
| Recommendation: Customers should consider applying the security
update.
| Security Update Replacement: This bulletin replaces MS04-013:
Cumulative
| Update for Outlook Express and any prior Cumulative Security Updates
for
| Outlook Express.
| Caveats: None
| Tested Software and Security Update Download Locations:
| Affected Software:
| .Microsoft Windows NT® Workstation 4.0 Service Pack 6a
| .Microsoft Windows NT Server 4.0 Service Pack 6a
| .Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack
6
| .Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack
| 3, Microsoft Windows 2000 Service Pack 4
| .Microsoft Windows XP and Microsoft Windows XP Service Pack 1
| .Microsoft Windows XP 64-Bit Edition Service Pack 1
| .Microsoft Windows XP 64-Bit Edition Version 2003
| .Microsoft Windows ServerT 2003
| .Microsoft Windows Server 2003 64-Bit Edition
| .Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
| Microsoft Windows Millennium Edition (Me) - Review the FAQ section of
this
| bulletin for details about these operating systems.
|
| Affected Components:
| .Microsoft Outlook Express 5.5 Service Pack 2: Download the Update
| .Microsoft Outlook Express 6: Download the Update
| .Microsoft Outlook Express 6 Service Pack 1: Download the Update
| .Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition): Download
the
| Update
| .Microsoft Outlook Express 6 on Windows Server 2003: Download the
Update
| .Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition):
| Download the Update
|
| The software in this list has been tested to determine if the versions
are
| affected. Other versions either no longer include security update
support or
| may not be affected. To determine the support lifecycle for your
product and
| version, visit the following Microsoft Support Lifecycle Web site.
|
|

 

[PCR]

!!!Yea!!!

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| IIRC the automatic backup of Address Book will now be found with a
..WAB~
| extension, Ivan. "Mysterious Tilde File" is history after installing
| MS04-018.
|
| This update supersedes (replaces) Q837009 (MS04-013) and Q330994.
|
| The download is large because the files updated are large:
|
| Date Time Version Size File name
| --------------------------------------------------------------
| 03-Mar-2003 23:57 6.0.2800.1123 75,776 Directdb.dll
| 07-Jun-2004 21:19 6.0.2800.1441 596,480 Inetcomm.dll
| 11-Oct-2002 22:08 6.0.2800.1123 47,616 Inetres.dll
| 03-Mar-2003 23:57 6.0.2800.1123 44,032 Msident.dll
| 03-Mar-2003 23:57 6.0.2800.1123 56,832 Msimn.exe
| 26-May-2004 21:26 6.0.2800.1437 1,175,040 Msoe.dll
| 03-Mar-2003 23:57 6.0.2800.1123 228,864 Msoeacct.dll
| 11-Oct-2002 22:09 6.0.2800.1123 2,479,616 Msoeres.dll
| 03-Mar-2003 23:57 6.0.2800.1123 91,136 Msoert2.dll
| 03-Mar-2003 23:57 6.0.2800.1123 93,184 Oeimport.dll
| 03-Mar-2003 23:57 6.0.2800.1123 55,808 Oemig50.exe
| 03-Mar-2003 23:57 6.0.2800.1123 31,744 Oemiglib.dll
| 03-Mar-2003 23:57 6.0.2800.1123 42,496 Wab.exe
| 24-Jun-2004 21:26 6.0.2800.1450 463,360 Wab32.dll
| 03-Mar-2003 23:57 6.0.2800.1123 30,208 Wabfind.dll
| 03-Mar-2003 23:57 6.0.2800.1123 77,824 Wabimp.dll
| 03-Mar-2003 23:57 6.0.2800.1123 27,648 Wabmig.exe
|
| The above is for Windows XP, Windows XP SP1, Windows 2000 SP3, Windows
2000
| SP4, and Windows NT 4.0 SP6a w/out either Q837009 or Q330994
installed.
| --
| ~PA Bear
|
| Ivan Bútora wrote:
| > Interestingly enough, the vulnerability discussed in this bulletin
is not
| > considered critical for Windows 98 systems, but the patch is being
| > offered for Windows 98 as well, unlike the updates from MS04-024,
| > MS04-016 and other bulletins from earlier in the year, where Windows
| > 98/98SE/Me were affected, but not critically.
| >
| > Also, for those using WAB:
| >
| > ---begin quote from MS04-018 FAQ---
| > Does this update contain any other changes to functionality?
| > Yes. In addition to the change that is listed in the Vulnerability
| > Details section of this bulletin, this update includes the following
| > changes in functionality:
| > . Sets Outlook Express 5.5 SP2 to view HTML e-mail messages in the
| > Restricted Sites zone.
| > . Fixes a behavior that was introduced in MS03-014 where Outlook
Express
| > 6 SP1 and later creates a copy of the Windows Address Book in a
| > predictable location with a file name of "~". After you install this
| > update, Outlook Express will no longer create this copy of the
Windows
| > Address Book in a predictable location.
| > ---end quote---
| >
| > Wonder if this means that the "~" problem is gone, or if it only
means
| > that now the "~" will be found in several unpredictable locations
rather
| > than one predictable locations.
| >
| > BTW, why is it that the download (OE 6 SP1) is so large (1950 KB)?
Did
| > the "~" problem really affect so many different OE files? (Note that
| > there is no security issue fixed with this patch for OE 6 SP 1).
| >
| >
| >
| > | >> MS04-018 - Cumulative Security Update for Outlook Express (823353)
| >> http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx
| >>
| >> Microsoft Security Bulletin MS04-018
| >> Cumulative Security Update for Outlook Express (823353)
| >>
| >> Issued: July 13, 2004
| >> Version: 1.0
| >> Executive Summary:
| >> This update resolves a public vulnerability. A denial of service
| >> vulnerability exists in Outlook Express because of a lack of robust
| >> verification for malformed e-mail headers. The vulnerability is
| >> documented in the Vulnerability Details section of this bulletin.
This
| >> update also changes the default security settings for Outlook
Express
| >> 5.5 Service Pack 2 (SP2). This change is documented in the
Frequently
| >> Asked Questions related to this security update section of this
bulletin.
| >> If a user is running Outlook Express and receives a specially
crafted
| >> e-mail message, Outlook Express would fail. If the preview pane is
| >> enabled, the user would have to manually remove the message, and
then
| >> restart Outlook Express to resume functionality.
| >> We recommend that customers consider applying the security update.
| >> Summary
| >> Who should read this document: Customers who use Microsoft® Outlook
| >> Express® Impact of Vulnerability: Denial of Service
| >> Maximum Severity Rating: Moderate
| >> Recommendation: Customers should consider applying the security
update.
| >> Security Update Replacement: This bulletin replaces MS04-013:
Cumulative
| >> Update for Outlook Express and any prior Cumulative Security
Updates for
| >> Outlook Express.
| >> Caveats: None
| >> Tested Software and Security Update Download Locations:
| >> Affected Software:
| >> .Microsoft Windows NT® Workstation 4.0 Service Pack 6a
| >> .Microsoft Windows NT Server 4.0 Service Pack 6a
| >> .Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
| >> .Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000
Service
| >> Pack 3, Microsoft Windows 2000 Service Pack 4
| >> .Microsoft Windows XP and Microsoft Windows XP Service Pack 1
| >> .Microsoft Windows XP 64-Bit Edition Service Pack 1
| >> .Microsoft Windows XP 64-Bit Edition Version 2003
| >> .Microsoft Windows ServerT 2003
| >> .Microsoft Windows Server 2003 64-Bit Edition
| >> .Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and
| >> Microsoft Windows Millennium Edition (Me) - Review the FAQ section
of
| >> this bulletin for details about these operating systems.
| >>
| >> Affected Components:
| >> .Microsoft Outlook Express 5.5 Service Pack 2: Download the Update
| >> .Microsoft Outlook Express 6: Download the Update
| >> .Microsoft Outlook Express 6 Service Pack 1: Download the Update
| >> .Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition):
Download
| >> the Update
| >> .Microsoft Outlook Express 6 on Windows Server 2003: Download the
Update
| >> .Microsoft Outlook Express 6 on Windows Server 2003 (64 bit
edition):
| >> Download the Update
| >>
| >> The software in this list has been tested to determine if the
versions
| >> are affected. Other versions either no longer include security
update
| >> support or may not be affected. To determine the support lifecycle
for
| >> your product and version, visit the following Microsoft Support
| >> Lifecycle Web site.
|