- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Security Update for Outlook Express and Windows Mail (MS07-056)
------------------------------------------------------------------------
SUMMARY
The vulnerability could allow remote code execution due to an incorrectly
handled malformed NNTP response.
An attacker could exploit the vulnerability by constructing a specially
crafted Web page.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 4
* Outlook Express 5.5 Service Pack 2
* Microsoft Windows 2000 Service Pack 4
* Outlook Express 6 Service Pack 1
* Windows XP Service Pack 2
* Microsoft Outlook Express 6
* Windows XP Professional x64 Edition Service Pack 2
* Microsoft Outlook Express 6
* Windows Server 2003 Service Pack 1
* Microsoft Outlook Express 6
* Windows Server 2003 Service Pack 2
* Microsoft Outlook Express 6
* Windows Server 2003 x64 Edition
* Microsoft Outlook Express 6
* Windows Server 2003 x64 Edition Service Pack 2
* Microsoft Outlook Express 6
* Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Outlook Express 6
* Windows Server 2003 with SP2 for Itanium-based Systems
* Microsoft Outlook Express 6
* Windows Vista
* Windows Mail
* Windows Vista x64 Edition
* Windows Mail
Network News Transfer Protocol Memory Corruption Vulnerability:
A remote code execution vulnerability exists in Outlook Express and
Windows Mail for Microsoft Vista, due to an incorrectly handled malformed
NNTP response. An attacker could exploit the vulnerability by constructing
a specially crafted Web page. If a user viewed the Web page, the
vulnerability could allow remote code execution. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the logged-on user.
Mitigating Factors for Network News Transfer Protocol Memory Corruption
Vulnerability:
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:
* In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability In
addition, Web sites that accept or host user-provided content, or
compromised Web sites and advertisement servers could contain specially
crafted content that could exploit this vulnerability. In all cases,
however, an attacker would have no way to force users to visit these Web
sites. Instead, an attacker would have to persuade users to visit the Web
site, typically by getting them to click a link in an e-mail message or
Instant Messenger message that takes users to the attacker's Web site.
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
* Internet Explorer 7 Protect Mode on Microsoft Windows Vista displays a
warning dialogue that a Web page is attempting to access Windows Mail. The
user would have to click allow before the vulnerability could be
exploited.
Workarounds for Network News Transfer Protocol Memory Corruption:
Workaround refers to a setting or configuration change that does not
correct the underlying vulnerability but would help block known attack
vectors before you apply the update. Microsoft has tested the following
workarounds and states in the discussion whether a workaround reduces
functionality:
* Disable news protocol handler.
You can disable the news protocol handler by removing the application
associated with it in the registry.
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result from
using Registry Editor incorrectly. Use Registry Editor at your own risk.
Paste the following text in a text editor such as Notepad. Then, save the
file by using the .reg file name extension
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\news\shell\open\command]
@=""
[HKEY_CLASSES_ROOT\snews\shell\open\command]
@=""
You can apply this .reg file to individual systems by double-clicking it.
You can also apply it across domains by using Group Policy. For more
information about Group Policy, visit the following Microsoft Web sites:
* Group Policy collection
* What is Group Policy Object Editor?
* Core Group Policy tools and settings
Impact of workaround: This workaround removes the associated application
that is used to run NNTP.
* Remove News Accounts.
Removing all registered news accounts in Outlook Express or Windows Mail
client.
1. In Windows Mail or Outlook Express select the Tools menu and then
Accounts
2. Select a News account and click remove then OK or Yes
3. Repeat step 2 for all News accounts
Impact of workaround:Removing newsgroups that have been registered will
make them unavailable for use unless you reregister them again.
FAQ for Network News Transfer Protocol Memory Corruption:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the logged on user.
What causes the vulnerability?
The vulnerability is present due to incorrect handling of malformed
responses in the Network News Transfer Protocol (NNTP).
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the
same user rights as the logged on user.
How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to
exploit this vulnerability and then convince a user to view the Web site.
This can also include Web sites that accept user-provided content or
advertisements, Web sites that host user-provided content or
advertisements, and compromised Web sites. These Web sites could contain
specially crafted content that could exploit this vulnerability. In no
case, however, would an attacker have a way to force users to visit these
Web sites. Instead, an attacker would have to convince users to visit the
Web site, typically by getting them to click a link in an e-mail message
or in an Instant Messenger request that takes users to the attacker's Web
site.
What systems are primarily at risk from the vulnerability?
These vulnerabilities require that a user is logged on and visits a Web
site for any malicious action to occur. Therefore, any systems where
Internet Explorer is used frequently, such as workstations or terminal
servers, are at the most risk from these vulnerabilities.
What does the update do?
The update removes the vulnerability by changing the news client to handle
malformed responses correctly.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3897>
CVE-2007-3897.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security Bulletin MS07-056.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment