[NT] Outlook Remote Code Execution in Preview Pane (S/MIME)
From: support@securiteam.comDate: 10/10/02
- Previous message: support@securiteam.com: "[UNIX] CERT advisory: Trojan Horse Sendmail Distribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 10 Oct 2002 23:15:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Outlook Remote Code Execution in Preview Pane (S/MIME)
------------------------------------------------------------------------
SUMMARY
The S/MIME standard attempts to raise the level of trust of email messages
by enabling users to digitally sign their messages and so the receiver can
verify the authenticity of the received message.
However, sometimes an added security feature can open up dangerous
security hole; a security vulnerability in the way Outlook handles S/MIME
certificates causes it to execute arbitrary code when inspecting a
malformed S/MIME signed message.
DETAILS
Vulnerable versions:
Outlook Express version 5.50
Outlook Express version 6.0
Immune versions:
Outlook Express 5.5 SP2
Outlook Express 6.0 SP1 (included in Windows XP SP1)
Microsoft Outlook
S/MIME has been implemented in Outlook Express in accordance to RFC 2311 (
<http://www.ietf.org/rfc/rfc2311.txt?number=2311>
http://www.ietf.org/rfc/rfc2311.txt?number=2311). As the RFC states, an
error message should be displayed whenever the "From" field of the letter
does not match that of the S/MIME RFC822 Name (in our example it will be
noamr@beyondsecurity.com).
The following error message will be displayed whenever such an incident
occurs (The fake email address has been set to "Fake"):
Security Warning
There are security problems with this message.
Please review the highlighted items listed below:
(V) Message has not been tampered with
(V) You do trust the signing digital ID
(V) The digital ID has not expired
(X) The digital ID's e-mail address does not match sender's
Signer: noamr@beyondsecurity.com
Sender: Fake
(V) The digital ID has not been revoked or revocation information for this
certificate could not be determined.
(V) There are no other problems with the digital ID
Ironically, this message warning is where the vulnerability lies. An
overflow in the code that tries to place the sender's email address in the
message allows arbitrary code execution, which is triggered whenever a
user views the message. Watching it in the preview pane is sufficient to
trigger the overflow.
Vendor response:
Microsoft has responded promptly and the fix was included in Service Pack
1 for Windows XP released a few weeks ago.
A patch for other systems is available at:
<http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp.
ADDITIONAL INFORMATION
The information has been provided by <mailto:noamr@beyondsecurity.com>
Noam Rathaus.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] CERT advisory: Trojan Horse Sendmail Distribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
