ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability



> -----Original Message-----
> From: advisories@xxxxxxxxxxxxxxxxxxxxx 
> [mailto:advisories@xxxxxxxxxxxxxxxxxxxxx] 
> Sent: Thursday, January 11, 2007 3:53 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Computer Terrorism (UK) :: Incident Response Centre 
> - Microsoft Outlook Vulnerability
> 
> 
> Computer Terrorism  (UK) :: Incident Response Centre
> 
> www.computerterrorism.com
> 
> Security Advisory: CT09-01-2007
> 
> 
> =======================================================
> Microsoft Outlook Advanced Find - Remote Code Execution
> =======================================================
> 
> Advisory Date: 11th January 2007
> 
> Severity: Critical
> Impact: Remote System Access
> Solution Status: Vendor Patch
> 
> CVE Reference:  CVE-2007-0034
> 
> 
> Affected Software
> =================
> 
> Microsoft Outlook 2000
> Microsoft Outlook 2002
> Microsoft Outlook 2003
> 
> 
> 1. OVERVIEW
> ===========
> 
> Microsoft Outlook is a popular personal communication manager that 
> provides end users with a unified place to manage e-mail, calendar 
> and contact information.
> 
> As part of its standard offering, Outlook also includes an Advanced 
> Search facility (Finder.exe) enabling end-users to query any aspect 
> of their repository information.
> 
> Unfortunately, it transpires that Outlook/Finder is susceptible to 
> a remote Buffer overflow vulnerability, when processing the contents 
> of a specially crafted Office Saved Search (.oss) file.
> 
> 
> 2. TECHNICAL NARRATIVE
> ======================
> 
> The issue in question stems from a simple oversight in the design of 
> an intrinsic string manipulation function, which attempts to copy 
> 1024 bytes of user supplied Unicode content, to a 
> pre-allocated buffer 
> of only 512 bytes (even though sufficient length checks are invoked).
> 
> As the destination buffer is unable to accommodate the 
> additional data, 
> the net result is that of a classic stack overflow condition, 
> in which 
> Instruction Pointer (EIP) control is gained via one of several 
> available return addresses.
> 
> 
> 3. EXPLOITATION
> ===============
> 
> As with most file parsing vulnerabilities, the aforementioned issue 
> will require a certain degree of social engineering to 
> achieve successful 
> exploitation.
> 
> However, Office Saved Searches (.oss) file types share very similar 
> display characteristics to that of harmless looking e-mail icons. 
> As such, end-users could be fooled into thinking the attachment is 
> a non-threatening mail forward.
> 
> 
> 
> 4. VENDOR RESPONSE
> ==================
> 
> The vendor security bulletin and corresponding patches are available 
> at the following location:
> 
> http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
> 
> 
> 5. DISCLOSURE ANALYSIS
> ======================
> 
> 12/05/2006  Preliminary Vendor notification.
> 24/05/2006  Vulnerability confirmed by Vendor 
> 16/10/2006  Public Disclosure Deferred by Vendor
> 09/01/2007  Public release.
> 
> Total Time to Fix: 7 months 29 Days (243 days in total)
> 
> 
> 6. CREDIT 
> =========
> 
> The vulnerability was discovered by Stuart Pearson of 
> Computer Terrorism
> 
> 
> 
> 
> ========================
> About Computer Terrorism
> ========================
> 
> Computer Terrorism (UK) Ltd is a global provider of Digital Risk 
> Intelligence services. Our unique approach to vulnerability risk 
> assessment and mitigation has helped protect some of the worlds 
> most at risk organisations.
> 
> Headquartered in London, Computer Terrorism has 
> representation throughout 
> Europe & North America and can be reached at +44 (0) 870 250 
> 9866 or email:-
> 
> sales [at] computerterrorism.com
> 
> To learn more about our services or to register for a FREE 
> comprehensive 
> website penetration test, visit: http:/www.computerterrorism.com
> 
> 
> Computer Terrorism (UK) :: Protection for a vulnerable world.
> 
> 
> 
> 
> 



 




Copyright © Lexa Software, 1996-2009.