COMMAND

    Outlook Express

SYSTEMS AFFECTED

    Win98

PROBLEM

    Miquel van Smoorenburg found following.  There is a bug in Outlook
    Express delivered with Windows  '98, at least version  4.72.3110.1
    (4.01 SP1)  and 4.72.3120.0  (4.01 SP1  + oepatsp1).   A dot  on a
    single line means EOM in the POP3 protocol.  If a message contains
    that it must be escaped by adding an extra dot, so we have 2  dots
    on a single line - which is  OK.  However if on the TCP  level the
    line  after  this  double-dot  crosses  over  to  the next packet,
    Outlook Express  will interpret  the double-dot  as a  single dot,
    switching back to POP3 command  mode and interpreting the rest  of
    the message  as a  response from  the POP3  server.   Result is an
    error message and  usually a hanging  POP3 session.   Perhaps it's
    not really a bug  in Outlook, but the  Windows I/O library or  the
    TCP implementation.. which is scary.   So at the TCP packet  level
    it looks like this:

        packet1: [message data]
        packet1: \r\n..\r\nthis is a line that
        packet2: continues in the next packet

    The double-dot  on the  2nd line  will be  interpreted as a single
    dot.  Include a few thousand  lines like this in an email  and the
    bug will trigger:

        So
        .
        this
        .
        might
        .
        actually
        .
        cause
        .
        the
        .
        bug
        .
        with
        .
        some
        .
        luck
        .
        repeat
        .
        until
        .
        three
        .
        times
        .
        max
        .
        mtu
        .
        of
        .
        1500

    Because  the  POP3  session  is  hanging,  the message will not be
    removed from the server and the  next time mail is check the  same
    thing will  occur.   This is  an effective  DOS attack against the
    mailbox.

SOLUTION

    Windows  '95   updated  with   MSIE  4.01   has  Outlook   Express
    4.72.3612.1700, which doesn't show the problem.  OE from MSIE3 and
    MSIE5 don't have  the problem either.  There might be  versions of
    MSIE4  included  with  Windows  '98  that  don't  show the problem
    either, but who has a stack of Windows CDs?

    The only way to solve this  is to remove the message with  another
    POP3 email program (Eudora, Pegasus) or to ask the sysadmin of the
    POP3 server  to remove  the message  manually (look  for a message
    that has a line starting with a dot).  Upgrading to MSIE 5.0  will
    also solve the problem, but  there is no simple/small bugfix  from
    Microsoft  available  (an  MSIE  5.0  download  is what - 20 MB at
    least?).