The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow
------------------------------------------------------------------------
SUMMARY
Microsoft Windows Mail and Outlook Express are "the default mail and news
clients for Windows operating systems". Remote exploitation of a heap
overflow in Microsoft Corp.'s Windows Mail and Outlook Express NNTP
clients may allow an attacker to execute code with the privileges of the
logged on user.
DETAILS
NNTP (Network News Transfer Protocol) is a protocol for reading and
posting Usenet articles. Windows Mail and Outlook Express both contain a
heap overflow vulnerability in their handling of NNTP replies. If the
server returns more data than the client requests, attacker controlled
values can be stored outside of the allocated memory region, overwriting
control structures in a way which may allow code execution.
Analysis:
Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the currently logged on user. In order to
exploit this vulnerability, and attacker would need to convince the
targeted user to view a website under their control or otherwise open a
link to their NNTP server. No further interaction is required to exploit
the vulnerability.
If the 'nntp', 'news' or 'snews' (secure news) protocol handlers have not
been explicitly associated with another application, the default handlers
will be set to Windows Mail (in Vista) and Outlook Express (in previous
versions of Windows). Exploitation of this vulnerability does not require
the targeted user to have setup an account in the affected program.
Detection:
iDefense confirmed the following programs on Windows operating systems are
affected:
* Windows Mail on Windows Vista
* Outlook Express 6 on Windows XP SP2
* Outlook Express 6 on Windows 2000 SP4
Workaround:
Deleting the all sub-keys of the following registry keys will remove the
'news' and 'snews' protocol handlers:
HKEY_CLASSES_ROOT\news\shell
HKEY_CLASSES_ROOT\snews\shell
These keys may be restored under some circumstances. To prevent this from
occurring, Set the 'Deny Full Control' permission for the group 'Everyone'
on the keys.
Vendor response:
Microsoft has addressed this vulnerability within MS07-056. For more
information, consult their bulletin at the following URL.
<http://www.microsoft.com/technet/security/Bulletin/MS07-056.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-056.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3897>
CVE-2007-3897
Disclosure Timeline:
07/11/2007 - Initial vendor notification
07/11/2007 - Initial vendor response
10/09/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=607>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=607
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
