Title

Microsoft Outlook Express and Windows Mail Remote Code Executio Vulnerability (Cat II impact)

Discussion

Microsoft has reported a vulnerability in Outlook Express and Windows Mail. To exploit this vulnerability, an attacker would set up a malicious e-mail server and entice a user to connect to this machine. The attacker would then respond with a crafted POP3 or IMAP response, causing the client to trigger the vulnerability. The Post Office Protocol 3 (POP3) servers hold incoming e-mail messages until you check your e-mail, at which point they're transferred to your computer. Internet Message Access Protocol 4 (IMAP4) is a protocol for reading mail and accessing public folders on remote servers. Alternatively, a man-in-the-middle could edit specific server responses and cause this vulnerability to be triggered. If successfully exploited, this vulnerability would allow an attacker to execute remote code and compromise the affected systems in the context of the current user. At this time, there are no known exploits associated with this vulnerability and the JTF-GNO is not aware of any DoD related incidents. Microsoft Outlook Express and Windows Mail Integer Overflow Vulnerability - (CVE-2010-0816): An unauthenticated remote code execution vulnerability exists in the way that Windows Mail Client handles specially crafted mail responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted response to a client initiating a connection to a server under his control using the common mail protocols POP3 and IMAP. The vulnerability is caused when a common library used by Outlook Express and Windows Mail insufficiently validates network data before using that data to calculate the necessary size of a buffer.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-030 (978542). Vulnerable Applications/Systems: Microsoft Windows 2000 SP 4 Microsoft Outlook Express 5.5 SP 2 Microsoft Outlook Express 6 SP 1 Windows XP SP 2 and SP 3 Microsoft Outlook Express 6 Windows Live Mail[1] Windows XP Professional x64 Edition SP 2 Microsoft Outlook Express 6 Windows Live Mail[1] Windows Server 2003 SP 2 (x86, x64 and Itanium) Microsoft Outlook Express 6 Windows Vista SP 1 and SP 2 (x86 and x64) Windows Mail Windows Live Mail[1] Windows Server 2008 and SP 2 (x86**, x64** and Itanium) Windows Mail Windows Live Mail[1] Windows 7 (x86 and x64) Windows Mail[2] Windows Live Mail[1] Windows Server 2008 R2 for (x64** and Itanium) Windows Mail[2] Windows Live Mail[1] **Server Core installation not affected. [1]Windows Live Mail is an out-of-box component on this operating system that needs to be installed separately for the vulnerability to exist. [2]Windows Mail is an out-of-box component on this operating system that needs to be installed separately for the vulnerability to exist. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. Inetcomm.dll Windows 2000 SP4 6.0.2800.2001 Windows XP SP3 6.0.2900.5931 Windows XP SP2 x64 6.0.3790.4657 Windows 2003 SP2 6.0.3790.4657 Windows Vista SP1 / 2008 6.0.6001.18416 or 22621 Windows 2008 Itanium 6.0.6001.18427 or 22636 Windows Vista SP2 / 2008 SP2 6.0.6002.18197 or 22325 Windows 2008 Itanium SP2 6.0.6001.18209 or 22341 Windows 7 and 2008 R2 Fixed by SP1 Windows 7 / 2008 R2 6.1.7600.16543 or 20659

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-24168

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.