Dan Butler's
TNPC Newsletter

A Roadmap to Patching Outlook 98 and Outlook Express for the "Long Filename Security Issue"

by Lee Hudspeth

(On 8-11-98, as we were preparing to click the Send button for this issue, we noticed that Microsoft had released updated patches. Here are the absolute latest Web addresses for these new patches, but we have not yet had time to carefully study them in our labs, and in one case we got repeated "404 Not Found" errors while trying to access these new pages, therefore we're going to run our story as originally written. Stay tuned.
* Second Outlook 98 patch:
http://www.microsoft.com/outlook/enhancements/outptch2.asp
* Second Outlook Express patch:
http://www.microsoft.com/ie/security/?/ie/security/oelong.htm
-- Ed.)

Microsoft has recently released "long filename security issue" patches for Outlook 98 and Outlook Express. This issue doesn't apply to you if: (a) you're running Outlook 97 or (b) you're running Outlook 98 in "Corporate or Workgroup" mode and do not have the Internet E-mail service installed. This issue does affect you if you're running Outlook 98 on Win95, Win98, or WinNT 4.0; or if you're running Outlook Express 4.0 or 4.01 on Win95, Win98, WinNT 4.0, Solaris, or Macintosh.

These patches resolve a coding error (not properly checking for out-of-bounds conditions, something to which any Programming 101 graduate should religiously adhere) that created a vulnerability in these email readers. The vulnerability: if you download (in Outlook 98) or open (in Outlook Express) an attachment to an email, AND the attachment has a long filename of 200 or more characters, that COULD generate an out-of-bounds condition crashing the email reader, at which point malicious code (if it was in place) COULD run, having been placed just beyond the vulnerable long filename character position. Okay. We believe the real-world probability of such an occurrence is almost zero (just look at all the things that have to happen concurrently to expose the vulnerability), but not exactly zero. So you have several choices.

If you're using Outlook 98 or Outlook Express as your email client, you can get an email client that hasn't been found to be susceptible to this issue (like Pegasus or Pine), or you can install the patches. The latter operation takes all of 10 minutes or so, depending on the speed of your Internet connection. But in carefully observing what took place during those 10 minutes, we noticed some serious documentation gaffes and patch misbehaviors that you should know about before you run the patches yourself. We wrote this article as a single-source manual for those of you who decide to install these patches.

Do keep in mind that so far there are exactly zero known data fatalities from this issue.

The following table shows relevant version number information of the most recent releases of these two applications, before and after the patches. The executable files you use to launch these applications are not the files being patched; that is, neither Outlook.exe nor Msimn.exe change as a result of the patches. In the case of Outlook Express, the most current pre-patch version is occasionally referred to by Microsoft -- confusingly -- as "Outlook Express 4.01 (SP1)," the real version number being 4.72.3110.5.

In the table's Techniques column: "Help / About" means to run the application and select Help / About and look at the version number in the resulting dialog box. To see the version numbers for the two DLL files listed, use Windows Explorer: find the file (Tools / Find / Files or Folders) then right-click the file, choose Properties, and click the Version tab. Outlmime.dll is typically in C:\Program Files\Microsoft Office\Office. Msimnui.dll is typically in C:\Program Files\Outlook Express.

Product	Technique	Before	After
Outlook 98	Help / About	8.5.5104.6	8.5.5104.6
Outlook 98	Outlmime.dll	4.71.2173.0	4.71.2232.26
Outlook Express	Help / About	4.72.3110.5	4.72.3115.0
Outlook Express	Msimnui.dll	4.72.3110.5	4.72.3115.0

There are several annoyances here. At the time of this writing (8-5-98), the Microsoft Knowledge Base article "OL98: Update Available for Outlook 98 Security Issue" (Q175807) does not explain what Outlook 98 version number changes to look for. We determined that the patched file is Outlmime.dll. The Microsoft Knowledge Base article "OE: Update Available For Outlook Express Security Issue" (Q168019) does explain what Outlook Express file and version number changes to look for. Here are the addresses for these two articles:
http://support.microsoft.com/support/kb/articles/q175/8/07.asp
http://support.microsoft.com/support/kb/articles/q168/0/19.asp

The Outlook 98 patch behaved as expected. However, it's very exasperating that Outlook 98, unlike Outlook Express, does not update the version number it displays in its Help / About dialog box. Given the debacle a few months ago when Microsoft released a series of three recalculation patches to Excel 97 and didn't update the Help / About dialog box, you'd think they'd get it right, and get it consistently right. See Woody's Office Watch #3.13 and #3.17 for the version control history re the Excel 97 patches:
http://www.wopr.com/wow/bakwow4.htm

After running the Outlook Express patch on one of our production systems, we noticed Msimnui.dll was version 4.72.2106.4, so the patch had failed even though its messages indicated it completed successfully. After a second execution of Oepatsp1.exe, ditto (Msimnui.dll was still the unpatched version).

It turns out this PC's Internet Explorer had long ago been upgraded to 4.01 SP1, but we had not updated Outlook Express at that time. So the PC was running Internet Explorer 4.01 SP1 along with a non-SP1 version of Outlook Express 4.01. The Oepatsp1.exe patch doesn't verify that Outlook Express 4.01 SP1 is installed, or if it does, it certainly doesn't tell you. In fact, it incorrectly states that it completed successfully, when it clearly didn't. Naturally, it should detect the wrong version AND tell you, thereby avoiding much confusion. After we upgraded to Outlook Express 4.01 SP1 and ran the patch, all was well.

We've informed Microsoft product management of these problems, so let's hope they are resolved soon.

Here are the patch filenames, their download sizes, and additional useful information:

* Outlook 98 patch:

(This patch file's name and behavior may have changed as of 8-11- 98; we have not yet tested it. The information shown here is current as of 8-10-98. Stay tuned. -- Ed.)

- Outpatch.exe is 154,376 bytes
- http://support.microsoft.com/download/support/mslfiles/
- Message box captions read "Microsoft Outlook 98 Security Patch 1.0"
- There is no prompt to restart Windows

* Outlook Express patch:

(These files' names and behaviors may have changed as of 8-11-98; we have not yet tested them. The information shown here is current as of 8-10-98. Stay tuned. -- Ed.)

- Oepatsp1.exe is 779,072 bytes (if running Internet Explorer 4.01 SP1)
- Oepat401.exe is 1,757,776 bytes (if running Internet Explorer 4.01 (not SP1)); both files are available at:
- http://www.microsoft.com/security/
- Message box captions read "Microsoft Outlook Express Update"
- You are prompted to restart Windows

At the above URL you will find more information about Microsoft's take on this file attachment security issue.

Also affected by this issue are the email readers in Netscape Communicator versions 4.0-4.05 (Win3.1, Win9x, and WinNT), and Communicator 4.5 Preview Release 1 (Win9x and WinNT). A patch is expected within two weeks. For more information see:

http://home.netscape.com/products/security/resources/bugs/ longfile.html

Moral of the story: when patching, always carefully study the manufacturer's documentation about what to look for as empirical proof the patch succeeded. Then do that examination after running the patch.