Security vulnerability found in HEAT's EasyMail Objects.

Version 1


    EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows "EasyMail Objects, a set of COM objects for supporting email  protocols, is installed on the remote Windows host.  It may have been bundled with a third-party application, such as Oracle Document  Capture, Earthlink internet access software, Borland Caliber RM Client, and FrontRange Heat.  The SMTP component of the version of this control installed on the remote host reportedly contains multiple buffer overflows involving the AddAttachment and SubmitToExpress methods that could lead to arbitrary code execution on the affected system.  Successful exploitation requires, though, that an attacker trick a user on the affected host into visiting a specially crafted web page."  "Either disable its use from within Internet Explorer by setting its kill bit or remove it completely."


    This has been run by FrontRange Development.  Unfortunately this is not our .dll (supplied by third party) and therefore we don’t have a lot of control over it.  The offender, the emsmtp.dll, specifically version 5.0, is what is used by current HEAT releases.     An updated DLL can be downloaded for free and with no registration from the QuickSoft site:  Looking at the Release Notes (below) for the version of the SMTP product, it looks like the updated DLL may fix this.  We have run a test with Call Logging and HMC, and when replacing BOTH the emsmtp.dll and the empop3.dll to the current version from the above link, everything looks to still work properly in HEAT.  These DLLs are in the main Program Files/HEAT folder and can simply be replaced with the new ones. It is recommended that copies of the originals are retained.   We have not tested the DLLs for all security vulnerabilities, and so make no claims that updating to these DLLs will fix the security issue for certain. We have only smoked tested the email functionality in HEAT with the updated DLLs, and have NOT put the entire product through a full QA cycle with the updated DLLs.  QuickSoft Release Notes:  Version Release Date: February 15, 2007  Security: Fixed scripting related security issues. Version Release Date:  November 27, 2006  Feature: Added AUTH MSN.  Set ESMTP_AuthMode property to 8. Version Release Date:  November 27, 2006  Feature: You can now add attachments using non-ASCII file names. Feature: Added ConvertHTMLToAlternativeText method that allows you to convert an HTML string to a Plain text string. Feature: Added NTLM Authentication.  Set ESMTP_AuthMode property to 8. Version Release Date: March 13, 2006  Fix: Calling ImportBodyTextEx could result in truncation of the HTML body text.  Version Release Date: February 9, 2006  Fix: When not using autowrap the message body could be truncated due to changes in prior version. Feature: Code reviewed and additional buffer overrun protection added. Fix: Multi-line response could cause problem with using the SMTP with SSL. Feature: Adding 64 as an option flag will save the message with out any additional x-headers.