1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: MS Outlook NNTP Response CVE-2005-1213

Attack: MS Outlook NNTP Response CVE-2005-1213

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects an attempt to exploit a vulnerability in Microsoft Outlook Express.

Additional Information

Microsoft Outlook Express is prone to a buffer overflow vulnerability.

This issue occurs in the NNTP Response Parsing mechanism of the applications. A malformed NNTP response could cause an internal buffer to be overrun, possibly resulting in execution of arbitrary code. Code execution would occur in the security context of the user running the vulnerable application.

The issue specifically exists in the MSOE.dll library included with Outlook Express. A stack-based buffer can be overrun during a memory copy operation.

Exploitation would require the victim user to connect to a malicious NNTP server. When the user connects to the server for the first time, they are offered a list of available newsgroups. The server response consists of four fields for each newsgroup residing on the server. If the second field contains data longer than 16 bytes, an internal buffer is overrun causing a Structured Exception Handler to be overwritten with arbitrary data. This could result in the execution flow being altered, allowing arbitrary code execution.


  • Microsoft Outlook Express 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube