Patches Galore (Hotmail x2 and SSL)

April 16, 2014

There are several new patches available for IMAP, SSL and WebMail.

IMAP (Hotmail)
Edit: May 19 — This patch may not be necessary as the problem no longer occurs with the original IMAP plugin.

Many people using IMAP to access their Hotmail accounts have been reporting frequent errors, the typical error that POP Peeper reports is “Failed to Process SSL Socket (Is SSL Plugin loaded?)” This is a somewhat recent problem and, as previously reported, the problem appears to be with Hotmail’s servers. I also suggested that there’s nothing that POP Peeper can do about it and that statement, fortunately, was not entirely accurate.
The problem is that Hotmail is taking a very long time to synchronize the encryption layer and POP Peeper had a built-in/hard-coded timeout that was too short. What I have done is made a patch so that instead of using a short timeout value, it will instead use the timeout value specified for IMAP in PPtweaker. By default, this is 60 seconds, which should be enough time for this issue. In case you have modified your IMAP timeout: I have witnessed the required time to be between 20-35 seconds; however this may not have been during peak times, so I would recommend a minimum of 45 seconds.

Downloads:
First, you’ll need to check which version of the IMAP Plugin you need. On the main menu, select Help / About. In the list on the right, the first entry will be “POP Peeper; look at the corresponding number in the “Current” column — it will likely be “3.8.1” or “4.0.0…” — the first number is the important one and indicates if you have v3 or v4, respectively.
Click here to download for v3
Click here to download for v4 (beta09 and earlier)

Instructions:
Download the correct file above
Exit POP Peeper
Open the zip file you downloaded
Copy imap.dll and overwrite your existing imap.dll file, this is usually:
C:\Program Files (x86)\POP Peeper\
or, if you have a 32-bit OS and the “Program Files (x86)” folder does not exist:
C:\Program Files\POP Peeper\
Restart POP Peeper
To confirm you have the correct version, go to Help / About again and the current version for Imap will now be “3.8.1.5” or “4.0.0.1”

When connecting to Hotmail accounts using IMAP, you may see a long delay (20-35 seconds, as noted above) while POP Peeper is “connecting” to the account before you see “Logging in…” — this long delay just means that the fix is working…

SSL
The most current version of OpenSSL (v1.0.1g) has been released. As announced earlier, the versions that POP Peeper previously released were NOT affected by the Heartbeat exploit. This is still a recommended upgrade to ensure that you have all the latest security fixes.
Click here for more information

WebMail (Hotmail)
There was also a WebMail update released for Hotmail (webmail v3.8.0.44). This fixes some character set issues that would display question marks or other strange characters in lieu of the correct character. POP Peeper should automatically update your webmail plugin if you need it, or you can:
Click here for more information

4

OpenSSL Security Advisory

April 9, 2014

As many people have already read about, there was a major security flaw discovered and fixed recently in OpenSSL. Please note that this does NOT affect the OpenSSL versions distributed by POP Peeper (versions 0.9.8 and 1.0.0e). You can check what version of SSL POP Peeper is using under Help / About. If you do have an affected version, you should upgrade to the latest OpenSSL version which has a fix (1.0.1g), or you can downgrade to the 1.0.0e version available on the POP Peeper website:
http://www.poppeeper.com/Plugins/ssl.php

Here is the bulletin posted by OpenSSL:
http://www.openssl.org/news/secadv_20140407.txt

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

2