Title

Microsoft Windows Address Book Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability affecting Microsoft Windows Address Book. To exploit this vulnerability, an attacker would convince a user to open a legitimate Windows Address Book (WAB) file that is located in the same network directory as a malicious dynamic link library (DLL) file. When the user opens the WAB file, Windows Address Book would attempt to load the DLL file and execute malicious code. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code and compromise an affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Insecure Library Loading Vulnerability - (CVE-2010-3147): A remote code execution vulnerability exists in the way that Windows Address Book handles the loading of DLL files. This vulnerability is caused when the Windows Address Book incorrectly restricts the path used for loading external libraries. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-096 (2423089). Vulnerable Applications/Systems: Windows XP SP 3 Windows XP Professional x64 Edition SP 2 Windows Server 2003 SP 2 (x86, x64 and Itanium) Windows Vista SP 1 and SP 2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP 2 (x86**, x64** and Itanium) Windows 7 (x86 and x64) Windows Server 2008 R2 (x64** and Itanium) **Server Core installation not affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. Wab.exe Windows XP SP3 6.0.2900.6040 Windows XP SP2 x64 6.0.3790.4785 Windows 2003 SP2 6.0.3790.4785 Windows Vista SP1 / 2008 6.0.6001.18535 or 22774 Windows Vista SP2 / 2008 SP2 6.0.6002.18324 or 22503 Windows 7 and 2008 R2 Fixed by SP1 Windows 7 / 2008 R2 6.1.7600.16684 or 20814

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-25845

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.