CVE-2005-1987
Description
Buffer overflow in Microsoft Collaboration Data Objects (CDO) allows remote code execution via a crafted email with an oversized header name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Microsoft Collaboration Data Objects (CDO) allows remote code execution via a crafted email with an oversized header name.
Vulnerability
A buffer overflow vulnerability exists in Microsoft Collaboration Data Objects (CDO), specifically in the cdosys.dll and cdoex.dll libraries. The flaw occurs when an application or component that uses CDO processes an email message with an excessively long header name, such as "Content-Type" followed by a large string. Affected software includes Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 1 and Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003 (including Service Pack 1), Windows Server 2003 for Itanium-based Systems, Windows Server 2003 x64 Edition, and Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004. Non-affected versions include Windows 98, Windows ME, Exchange Server 5.5, and Exchange Server 2003 (including Service Pack 1). [1][2][3]
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted email message to a vulnerable system that uses CDO to parse email content, such as Microsoft Exchange 2000 Server with event sinks enabled or Internet Information Services (IIS) with CDO components. The email contains a header with an abnormally long name, which triggers a stack-based buffer overflow when the CDO library processes it. Proof-of-concept code for this vulnerability is publicly available. [2][3]
Impact
Successful exploitation allows the attacker to execute arbitrary code on the affected system with full system privileges, leading to complete compromise of the host. Additionally, the vulnerability can be used to bypass content security mechanisms, such as virus scanners and content filters, potentially allowing malicious content to evade detection. [1][2][3]
Mitigation
Microsoft released security update MS05-048 on October 11, 2005, which addresses this vulnerability. Customers should apply the appropriate update for their affected Windows or Exchange Server version at the earliest opportunity. As a workaround, administrators can disable event sinks on Exchange 2000 Server and IIS, or unregister the cdoex.dll and cdosys.dll files to reduce the attack surface. No other mitigations are available for systems that cannot be patched. [1][3]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*
- (no CPE)
- cpe:2.3:o:microsoft:windows_2000:-:sp4:*:fr:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:itanium:*+ 4 more
- cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2003:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:sp1:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:sp1:*:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_xp:-:sp1:*:*:tablet_pc:*:*:*+ 2 more
- cpe:2.3:o:microsoft:windows_xp:-:sp1:*:*:tablet_pc:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:tablet_pc:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:x64:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An unchecked buffer in Collaboration Data Objects (CDO) allows a large e-mail header name to overflow a fixed-size buffer during message processing."
Attack vector
An attacker delivers a specially crafted e-mail message with an overly large header name (e.g., an excessively long "Content-Type" string) to an affected system via SMTP [ref_id=1]. When CDOSYS or CDOEX processes the message, the unchecked buffer in the CDO component copies the oversized header into a fixed-size buffer without verifying the length, causing a buffer overflow [CWE-120]. This overflow can corrupt memory in a way that allows the attacker to execute arbitrary code with the privileges of the affected process [ref_id=1]. No authentication is required; any anonymous user who can send an SMTP message to the target can attempt exploitation [ref_id=1].
Affected code
The vulnerability resides in the Collaboration Data Objects (CDO) COM components — specifically the files Cdosys.dll (used by Windows) and Cdoex.dll (used by Exchange 2000 Server). The advisory does not identify specific function names or code paths within those binaries [ref_id=1].
What the fix does
The security update modifies the way CDO validates the length of a message header before copying it into the allocated buffer [ref_id=1]. By adding a size check, the fix ensures that oversized header names are rejected or truncated rather than written past the end of the buffer, closing the buffer overflow [CWE-120]. No patch diff is available in the bundle; the advisory states only that the update "removes the vulnerability by modifying the way that CDO validates the length of a message before it passes the message to the allocated buffer" [ref_id=1].
Preconditions
- configThe target must be running an affected version of Microsoft Windows (2000 SP4, XP SP1/SP2, Server 2003) or Exchange 2000 Server with the vulnerable CDO components registered.
- networkThe attacker must be able to deliver an SMTP message to the affected system; no prior authentication is required.
- inputThe affected system must have an application (such as an SMTP event sink) that calls CDOSYS or CDOEX to process incoming messages.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-048nvdPatchVendor Advisory
- marc.infonvdMailing ListThird Party Advisory
- secunia.com/advisories/17167nvdThird Party Advisory
- securitytracker.com/idnvdThird Party AdvisoryVDB Entry
- securitytracker.com/idnvdThird Party AdvisoryVDB Entry
- www.kb.cert.org/vuls/id/883460nvdThird Party AdvisoryUS Government Resource
- www.securityfocus.com/bid/15067nvdThird Party AdvisoryVDB Entry
- www.us-cert.gov/cas/techalerts/TA05-284A.htmlnvdThird Party AdvisoryUS Government Resource
- exchange.xforce.ibmcloud.com/vulnerabilities/22495nvdThird Party AdvisoryVDB Entry
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1130nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1201nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1406nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1420nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1515nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A581nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A848nvdThird Party Advisory
- archives.neohapsis.com/archives/fulldisclosure/2005-10/0289.htmlnvdBroken Link
- www.osvdb.org/19905nvdBroken Link
- support.microsoft.com/default.aspxnvd
News mentions
0No linked articles in our index yet.