Secunia Security Advisory - Francis Provencher has discovered a vulnerability in Microsoft Outlook Express and Windows Mail, which can be exploited by malicious people to potentially compromise a user's system.
15879cbeb82f803e03191b6594e48cbea94dd6465cd367c0d573ac50cfb77cec
----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Outlook Express / Windows Mail STAT Response Integer Overflow
SECUNIA ADVISORY ID:
SA39766
VERIFY ADVISORY:
http://secunia.com/advisories/39766/
DESCRIPTION:
Francis Provencher has discovered a vulnerability in Microsoft
Outlook Express and Windows Mail, which can be exploited by malicious
people to potentially compromise a user's system.
The vulnerability is caused due to an integer overflow when
processing responses received from a POP3 server. This can be
exploited to dereference out-of-bounds memory and potentially trigger
a memory corruption via a specially crafted STAT response.
Successful exploitation may allow execution of arbitrary code, but
requires that the user is tricked into connecting to a malicious POP3
server.
The vulnerability is confirmed in Outlook Express on a fully patched
Windows 2000, Windows XP SP3, and Windows Server 2003, and in Windows
Mail on a fully patched Windows Server 2008. Windows Mail in Windows
Vista is also reportedly affected.
SOLUTION:
Apply patches.
-- Windows 2000 SP4 --
Microsoft Outlook Express 5.5 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=661F5DE3-A593-4961-8E8D-2777797EB5C5
Microsoft Outlook Express 6 SP1
http://www.microsoft.com/downloads/details.aspx?familyid=CDA75174-B535-4559-A52D-B5EC3A1DF349
-- Windows XP SP2/SP3 --
Microsoft Outlook Express 6:
http://www.microsoft.com/downloads/details.aspx?familyid=99707C3D-A3CB-47DA-B38E-8AE0227FD703
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=99707C3D-A3CB-47DA-B38E-8AE0227FD703
-- Windows XP Professional x64 Edition SP2 --
Microsoft Outlook Express 6:
http://www.microsoft.com/downloads/details.aspx?familyid=44BC97BB-6F76-4C96-AF72-69DAAEA80FFF
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=44BC97BB-6F76-4C96-AF72-69DAAEA80FFF
-- Windows Server 2003 SP2 --
Microsoft Outlook Express 6
http://www.microsoft.com/downloads/details.aspx?familyid=EB9742FC-0934-4B38-9EC4-3597FC71EC00
-- Windows Server 2003 x64 Edition SP2 --
Microsoft Outlook Express 6:
http://www.microsoft.com/downloads/details.aspx?familyid=5678515A-97EA-4E00-8700-D3F2FCDC0EFC
-- Windows Server 2003 with SP2 for Itanium-based Systems --
Microsoft Outlook Express 6:
http://www.microsoft.com/downloads/details.aspx?familyid=60EF635B-CB6D-402F-B904-E69B519D797F
-- Windows Vista SP1/SP2 --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=A970C869-24FE-4EF4-B189-7A6BAC2411F1
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=A970C869-24FE-4EF4-B189-7A6BAC2411F1
-- Windows Vista x64 Edition SP1/SP2 --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=9A7853B5-4F9F-4467-9530-EEA2EFD504A5
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=9A7853B5-4F9F-4467-9530-EEA2EFD504A5
-- Windows Server 2008 for 32-bit Systems (optionally with SP2) --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=5F77A640-247C-4ED2-9FCA-4B7344F4DC7C
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=5F77A640-247C-4ED2-9FCA-4B7344F4DC7C
-- Windows Server 2008 for x64-based Systems (optionally with SP2)
--
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=B0EAB011-5847-44E4-BC0D-5C5355E1E8D0
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=B0EAB011-5847-44E4-BC0D-5C5355E1E8D0
-- Windows Server 2008 for Itanium-based Systems (optionally with
SP2) --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=DA01AE82-895E-4739-916F-A63B9095A076
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=DA01AE82-895E-4739-916F-A63B9095A076
-- Windows 7 for 32-bit Systems --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=1F0C17BE-BA4C-4A1C-B9C3-8AC368800947
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=1F0C17BE-BA4C-4A1C-B9C3-8AC368800947
-- Windows 7 for x64-based Systems --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=A70F15E1-512C-44CA-A308-928E237AC0CE
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=A70F15E1-512C-44CA-A308-928E237AC0CE
-- Windows Server 2008 R2 for x64-based Systems --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=E2E25C02-38CE-4868-A01A-39FC7D2A4150
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=E2E25C02-38CE-4868-A01A-39FC7D2A4150
-- Windows Server 2008 R2 for Itanium-based Systems --
Windows Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=53ED1055-B5EE-4FDE-9550-F8B401916467
Windows Live Mail:
http://www.microsoft.com/downloads/details.aspx?familyid=53ED1055-B5EE-4FDE-9550-F8B401916467
PROVIDED AND/OR DISCOVERED BY:
Francis Provencher, Protek Research Lab's.
CHANGELOG:
2010-05-11: Updated "Extended Description" and added PoC. Updated
"Solution" section. Added additional information provided by
Microsoft.
ORIGINAL ADVISORY:
MS10-030 (KB978542):
http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx
Francis Provencher:
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=13&Itemid=13
OTHER REFERENCES:
Malicious Mail server vulnerability (blog):
http://blogs.technet.com/srd/archive/2010/05/11/ms10-030-malicious-mail-server-vulnerability.aspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------