Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
BID:25908
Info
Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
| Bugtraq ID: | 25908 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-3897 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 09 2007 12:00AM |
| Updated: | Oct 17 2007 01:27AM |
| Credit: | Greg MacManus of VeriSign iDefense Labs is credited with the discovery of this vulnerability. |
| Vulnerable: |
Nortel Networks Universal Access - IP 0 Nortel Networks Packet Transit - IP 0 Nortel Networks Integrated Access - Cable 0 Nortel Networks Circuit Switching 0 Nortel Networks Centrex IP Element Manager 0 Nortel Networks Centrex IP Client Manager Microsoft Windows Mail 0 Microsoft Outlook Express 6.0 SP1 Microsoft Outlook Express 6.0 Microsoft Outlook Express 5.5 SP2 HP Storage Management Appliance III HP Storage Management Appliance II HP Storage Management Appliance I HP Storage Management Appliance 2.1 |
| Not Vulnerable: | |
Discussion
Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
Microsoft Outlook Express and Windows Mail are prone to a remote heap-based buffer-overflow vulnerability. This issue occurs because the applications fail to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue will allow an attacker to execute arbitrary code with the privileges of the currently logged-in user.
Microsoft Outlook Express and Windows Mail are prone to a remote heap-based buffer-overflow vulnerability. This issue occurs because the applications fail to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue will allow an attacker to execute arbitrary code with the privileges of the currently logged-in user.
Exploit / POC
Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution / Fix
Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
Solution:
The vendor has released an advisory to address this issue in supported versions of affected applications. Please see the referenced advisory for details on obtaining and applying the appropriate updates.
NOTE: Microsoft has released a revised bulletin (V2.0) MS07-056 to include Windows XP Professional x64 Edition in the affected software section and to address missing information for Outlook Express 6.0 SP1 on Windows 2000 SP4 and for Outlook Express 5.5 SP2 on Windows 2000 SP4.
Microsoft Windows Mail 0
Microsoft Outlook Express 5.5 SP2
Microsoft Outlook Express 6.0
Microsoft Outlook Express 6.0 SP1
Solution:
The vendor has released an advisory to address this issue in supported versions of affected applications. Please see the referenced advisory for details on obtaining and applying the appropriate updates.
NOTE: Microsoft has released a revised bulletin (V2.0) MS07-056 to include Windows XP Professional x64 Edition in the affected software section and to address missing information for Outlook Express 6.0 SP1 on Windows 2000 SP4 and for Outlook Express 5.5 SP2 on Windows 2000 SP4.
Microsoft Windows Mail 0
-
Microsoft Security Update for Windows Mail for Windows Vista (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=b6ac8d93-adc3 -4ec3-bad1-4990bd7d52b4&displaylang=en -
Microsoft Security Update for Windows Mail for Windows Vista for x64-based Systems (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=34aaf9dd-4d63 -43e2-b631-bbf492d56a26&displaylang=en
Microsoft Outlook Express 5.5 SP2
-
Microsoft Security Update for Outlook Express 5.5 Service Pack 2 (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5AA009C9-4EDC -4F34-989B-0493549649E8&displaylang=en
Microsoft Outlook Express 6.0
-
Microsoft Security Update for Outlook Express for Windows Server 2003 (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=708926e4-f8af -4533-8747-22d6536ebd66&displaylang=en -
Microsoft Security Update for Outlook Express for Windows Server 2003 for IB (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=a8844fbb-5b2c -41f3-80f1-dce563aa7cb7&displaylang=en -
Microsoft Security Update for Outlook Express for Windows Server 2003 x64 Edition (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=26720f5a-d7e9 -44b9-9330-2e9faa4af0d9&displaylang=en -
Microsoft Security Update for Outlook Express for Windows XP (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3ed7f466-78c7 -4251-ba24-8ae71ad54e18&displaylang=en -
Microsoft Security Update for Outlook Express for Windows XP x64 Edition (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=6468a552-2194 -4866-97d5-ff77ae205eea&displaylang=en
Microsoft Outlook Express 6.0 SP1
-
Microsoft Security Update for Outlook Express 6 Service Pack 1 (KB941202)
http://www.microsoft.com/downloads/details.aspx?FamilyId=b537115d-611c -4486-960c-08d2df450579
References
Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability
References:
References:
- Microsoft Outlook Express Homepage (Microsoft)
- Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow (iDefense Labs)
- October 2007 Microsoft Tuesday (Breakingpoint Systems)
- Windows Mail Product Page (Microsoft Corporation)
- Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow ([email protected])
- October Microsoft Tuesday (Todd Manning
- Centrex IP Client Manager (CICM) response to Microsoft October security bulletin (Nortel Networks)
- Microsoft Security Bulletin MS07-056 (Microsoft)