Outlook Express
I checked these vulnerabilities in Outlook Express and Outlook, similar
attacks are potentially possible in other email clients (built-in email
client in Opera 9.52 is not affected). So all who wishes can check these
vulnerabilities in other clients, e.g. in Thunderbird and SeaMonkey.
I found Denial of Service vulnerabilities in Microsoft Outlook Express and
Outlook. Which are identical to vulnerabilities in Internet Explorer 6.
Taking into account that these email clients are using IE engine for showing
of html-letters, then these attacks are Cross-Application DoS
(http://websecurity.com.ua/2600/).
Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow
iDefense Security Advisory 10.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 09, 2007
I. BACKGROUND
Microsoft Windows Mail and Outlook Express are the default mail and news
clients for Windows operating systems. More information can be found at
#####################################################################################
Application: Microsoft Outlook Express
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
external circumstances (e.g. the bug being exploited in the wild) may
force an earlier release. Core confirms that it plans to release the
Proof of Concept code sent to Microsoft with the advisory draft.
. 2008-02-29: Core asks for updated information concerning this issue.
. 2008-03-04: Vendor states that there are issues discovered with the
package that the Outlook Express team is investigating that could impact
the release date.
. 2008-03-04: Core awaits updated information.
. 2008-03-11: Vendor communicates that an April release is not looking
likely.
. 2008-03-13: Core informs the vendor that the Beta release of IE 8 is
-------------------------------------------------
MS Patch - MS08-047 Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-048 Security Update for Outlook Express and Windows Mail (951066)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
Impacts only Outlook Express 5.5 SP2 - Or - Outlook Express 6 SP1
To determine your Outlook Express version check the Outlook Express help page
-------------------------------------------------
brlc> Denial of Service vulnerability.
brlc> == Specific Software ==
brlc> Vulnerable:
brlc> Microsoft Outlook Express 6, Version 6.00.2900.5512
brlc> Opera Version: 9.51 Build: 10081 System: Windows XP
brlc> Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
brlc> Norton Internet Security Version 15.5.0.23
brlc> ESet NOD32 2.70.0039.0000
brlc> Kaspersky Internet Security 2009; Databases from 23.07.2008
Denial of Service vulnerability.
== Specific Software ==
Vulnerable:
Microsoft Outlook Express 6, Version 6.00.2900.5512
Opera Version: 9.51 Build: 10081 System: Windows XP
Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
Norton Internet Security Version 15.5.0.23
ESet NOD32 2.70.0039.0000
Kaspersky Internet Security 2009; Databases from 23.07.2008
with the privileges of the logged in user. To exploit this
vulnerability, an attacker would have to use social engineering
techniques to convince a user to visit a malicious website. No further
interaction is needed.
With default settings, Microsoft Outlook and Outlook Express can not be
used to directly exploit this vulnerability. By default, Outlook and
Outlook Express both run in Restricted mode which prevents Active
Content from being loaded. However, an attacker could send an e-mail
with a link to a malicious website. By following this link a user is
susceptible to exploitation through the browser.
In message <20081208225217.10144.qmail@securityfocus.com>,
bruhns@recurity-labs.com writes
...
>== Specific Software ==
>Vulnerable:
>Microsoft Outlook Express 6, Version 6.00.2900.5512
>Opera Version: 9.51 Build: 10081 System: Windows XP
>Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
>Norton Internet Security Version 15.5.0.23
>ESet NOD32 2.70.0039.0000
>Kaspersky Internet Security 2009; Databases from 23.07.2008
-------------------------------------------------
MS Patch - MS07-055 Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
-------------------------------------------------
MS Patch - MS07-056 Security Update for Outlook Express and Windows Mail (941202)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
-------------------------------------------------
MS Patch - MS07-057 Cumulative Security Update for Internet Explorer (939653)
Analysis - Possible security issue exists. Patch will run successfully.
This vulnerability exists in versions up to 5.1.5. Newer version might also be affected.
Workaround
----------
Current eOffice users are strongly advised to switch to other email clients such as the free Thunderbird, Sylpheed, Outlook Express, or commercial Outlook in the MS Office suite until the bug has been resolved.
Fix
---
Customers are advised to contact and request a fix directly from the vendor.
mailto:test%../../../../windows/system32/calc.exe".cmd
in "Start/Run"
1) on a system with Windows XP and IE6. Outlook Express is executed as
expected.
2) now do the very same thing on a system with Windows XP and IE7.
calc.exe is executed.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as a test attack vector. Outlook and
Outlook Express will automatically display EMF images and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.
IV. DETECTION
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as test attack vector. Outlook and
Outlook Express will automatically display EMF image and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.
IV. DETECTION
Hey.
I've been waiting to see when somebody finally got around to testing
Outlook express.
It's also possible to exploit this through Outlook full version from
office 2003.
I have also discovered other problems (not difficult to fine) which
allows the execution of any program which has registered as a
|
