The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Outlook Advanced Find Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Microsoft Outlook is "a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar and
contact information".
As part of its standard offering, Outlook also includes an Advanced Search
facility (Finder.exe) enabling end-users to query any aspect of their
repository information. Unfortunately, it transpires that Outlook/Finder
is susceptible to a remote Buffer overflow vulnerability, when processing
the contents of a specially crafted Office Saved Search (.oss) file.
DETAILS
The issue in question stems from a simple oversight in the design of an
intrinsic string manipulation function, which attempts to copy 1024 bytes
of user supplied Unicode content, to a pre-allocated buffer of only 512
bytes (even though sufficient length checks are invoked).
As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
return addresses.
Exploitation:
As with most file parsing vulnerabilities, the aforementioned issue will
require a certain degree of social engineering to achieve successful
exploitation.
However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons. As such,
end-users could be fooled into thinking the attachment is a
non-threatening mail forward.
Vendor Response:
The vendor security bulletin and corresponding patches are available at
the following location:
<http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
Disclosure Timeline:
12/05/2006 - Preliminary Vendor notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.
Total Time to Fix: 7 months 29 Days (243 days in total)
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0034>
CVE-2007-0034
ADDITIONAL INFORMATION
The information has been provided by
<mailto:advisories@computerterrorism.com> Stuart Pearson of Computer
Terrorism .
The original article can be found at:
<http://www.computerterrorism.com/research/ct09-01-2007.htm>
http://www.computerterrorism.com/research/ct09-01-2007.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
