-----BEGIN PGP SIGNED MESSAGE-----
Vulnerability in vCard import in Outlook 2000
Released: August 30, 2000
Under certain conditions, excessively long or malformed fields in a
vCard (.vcf) file can cause Microsoft Outlook 2000 to either
overflow or excessively utilize system resources.
The specifications regarding vCard MIME types and field contents can
be found in RFCs 2425 and 2426.
Although RFC 2426 section 2.6 specifically requires lines longer than
75 characters to be folded as defined in [MIME-DIR], it appears
Outlook does not support line folding, and will attempt to import
any field in the file as one value, even if it is several pages long
or (in one case) overflows a data field within Outlook.
The effect this unlimited import attempt has on Outlook 2000 varies
between field types. Some fields will cause Outlook to consume
nearly all CPU time, and certain others (especially date/revision
fields and e-mail fields) will cause Outlook to terminiate
immediately due to an overflow.
Outlook 2000 does not attempt to open and import a .vcf file that a
user receives via e-mail without prompting the user first. However,
vCard files are extremely common, and many users have trained
themselves to ignore the warning dialog box.
Outlook does, however, open a vCard file with no questions asked if
the user saves it to a directory and double-clicks it from Windows
Explorer. In this situation, the vCard is processed directly with no
warning or status messages displayed to the user.
Microsoft Outlook 2000 was the only platform tested (on Windows NT
Service Pack 6a+hotfixes).
Affected fields in vCard file causing an overflow:
- - email:
- - bday; value=date (as low as 52 characters of form YYYY-MM-D(60)
Affected fields in vCard file causing excessive CPU utilization:
- - name:
- - nickname:
- - fn:
- - title:
- - title;language=de;value=text:
- - tel:
- - tel;