---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Outlook Express / Windows Mail STAT Response Integer Overflow SECUNIA ADVISORY ID: SA39766 VERIFY ADVISORY: http://secunia.com/advisories/39766/ DESCRIPTION: Francis Provencher has discovered a vulnerability in Microsoft Outlook Express and Windows Mail, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an integer overflow when processing responses received from a POP3 server. This can be exploited to dereference out-of-bounds memory and potentially trigger a memory corruption via a specially crafted STAT response. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server. The vulnerability is confirmed in Outlook Express on a fully patched Windows 2000, Windows XP SP3, and Windows Server 2003, and in Windows Mail on a fully patched Windows Server 2008. Windows Mail in Windows Vista is also reportedly affected. SOLUTION: Apply patches. -- Windows 2000 SP4 -- Microsoft Outlook Express 5.5 SP2: http://www.microsoft.com/downloads/details.aspx?familyid=661F5DE3-A593-4961-8E8D-2777797EB5C5 Microsoft Outlook Express 6 SP1 http://www.microsoft.com/downloads/details.aspx?familyid=CDA75174-B535-4559-A52D-B5EC3A1DF349 -- Windows XP SP2/SP3 -- Microsoft Outlook Express 6: http://www.microsoft.com/downloads/details.aspx?familyid=99707C3D-A3CB-47DA-B38E-8AE0227FD703 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=99707C3D-A3CB-47DA-B38E-8AE0227FD703 -- Windows XP Professional x64 Edition SP2 -- Microsoft Outlook Express 6: http://www.microsoft.com/downloads/details.aspx?familyid=44BC97BB-6F76-4C96-AF72-69DAAEA80FFF Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=44BC97BB-6F76-4C96-AF72-69DAAEA80FFF -- Windows Server 2003 SP2 -- Microsoft Outlook Express 6 http://www.microsoft.com/downloads/details.aspx?familyid=EB9742FC-0934-4B38-9EC4-3597FC71EC00 -- Windows Server 2003 x64 Edition SP2 -- Microsoft Outlook Express 6: http://www.microsoft.com/downloads/details.aspx?familyid=5678515A-97EA-4E00-8700-D3F2FCDC0EFC -- Windows Server 2003 with SP2 for Itanium-based Systems -- Microsoft Outlook Express 6: http://www.microsoft.com/downloads/details.aspx?familyid=60EF635B-CB6D-402F-B904-E69B519D797F -- Windows Vista SP1/SP2 -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=A970C869-24FE-4EF4-B189-7A6BAC2411F1 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=A970C869-24FE-4EF4-B189-7A6BAC2411F1 -- Windows Vista x64 Edition SP1/SP2 -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=9A7853B5-4F9F-4467-9530-EEA2EFD504A5 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=9A7853B5-4F9F-4467-9530-EEA2EFD504A5 -- Windows Server 2008 for 32-bit Systems (optionally with SP2) -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=5F77A640-247C-4ED2-9FCA-4B7344F4DC7C Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=5F77A640-247C-4ED2-9FCA-4B7344F4DC7C -- Windows Server 2008 for x64-based Systems (optionally with SP2) -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=B0EAB011-5847-44E4-BC0D-5C5355E1E8D0 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=B0EAB011-5847-44E4-BC0D-5C5355E1E8D0 -- Windows Server 2008 for Itanium-based Systems (optionally with SP2) -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=DA01AE82-895E-4739-916F-A63B9095A076 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=DA01AE82-895E-4739-916F-A63B9095A076 -- Windows 7 for 32-bit Systems -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=1F0C17BE-BA4C-4A1C-B9C3-8AC368800947 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=1F0C17BE-BA4C-4A1C-B9C3-8AC368800947 -- Windows 7 for x64-based Systems -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=A70F15E1-512C-44CA-A308-928E237AC0CE Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=A70F15E1-512C-44CA-A308-928E237AC0CE -- Windows Server 2008 R2 for x64-based Systems -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=E2E25C02-38CE-4868-A01A-39FC7D2A4150 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=E2E25C02-38CE-4868-A01A-39FC7D2A4150 -- Windows Server 2008 R2 for Itanium-based Systems -- Windows Mail: http://www.microsoft.com/downloads/details.aspx?familyid=53ED1055-B5EE-4FDE-9550-F8B401916467 Windows Live Mail: http://www.microsoft.com/downloads/details.aspx?familyid=53ED1055-B5EE-4FDE-9550-F8B401916467 PROVIDED AND/OR DISCOVERED BY: Francis Provencher, Protek Research Lab's. CHANGELOG: 2010-05-11: Updated "Extended Description" and added PoC. Updated "Solution" section. Added additional information provided by Microsoft. ORIGINAL ADVISORY: MS10-030 (KB978542): http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx Francis Provencher: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=13&Itemid=13 OTHER REFERENCES: Malicious Mail server vulnerability (blog): http://blogs.technet.com/srd/archive/2010/05/11/ms10-030-malicious-mail-server-vulnerability.aspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------