CVE-1999-1164

Vulnerability

Microsoft Outlook client hangs when it receives multiple email messages with the same X-UIDL header. The X-UIDL header is used by POP3 to uniquely identify messages; if a POP server returns duplicate UIDLs (e.g., due to a server bug or malicious injection), Outlook enters a hang state before downloading any mail. The issue affects Outlook clients connecting to POP servers that do not enforce unique UIDL values. The exact Outlook versions are not specified in the reference, but the vulnerability was reported in 1999 and likely affects all versions at that time.

Exploitation

An attacker must control or compromise a POP server, or be able to inject emails with crafted X-UIDL headers into the user's mailbox. The attacker sends multiple emails with the same X-UIDL value. When the victim's Outlook client connects to the POP server and retrieves the message headers, it encounters duplicate UIDLs and hangs, preventing any further mail retrieval.

Impact

Successful exploitation causes a denial of service: Outlook hangs and becomes unresponsive, preventing the user from downloading or reading email. The attacker does not gain access to data or execute code, but the victim loses email functionality until the duplicate messages are removed or the client is restarted.

Mitigation

The reference [1] points to a website (http://getaclue.org/yoduh/outlook.html) that details workarounds and fixes, but the content is not available in the provided reference. The primary mitigation is to ensure that POP servers validate and enforce unique X-UIDL values for each message. No official Microsoft patch is mentioned; given the age of the CVE, modern Outlook versions may have addressed this behavior, but the available references do not confirm a fix.