Thread-topic: Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability
> -----Original Message-----
> From: advisories@xxxxxxxxxxxxxxxxxxxxx
> [mailto:advisories@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, January 11, 2007 3:53 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Computer Terrorism (UK) :: Incident Response Centre
> - Microsoft Outlook Vulnerability
>
>
> Computer Terrorism (UK) :: Incident Response Centre
>
> www.computerterrorism.com
>
> Security Advisory: CT09-01-2007
>
>
> =======================================================
> Microsoft Outlook Advanced Find - Remote Code Execution
> =======================================================
>
> Advisory Date: 11th January 2007
>
> Severity: Critical
> Impact: Remote System Access
> Solution Status: Vendor Patch
>
> CVE Reference: CVE-2007-0034
>
>
> Affected Software
> =================
>
> Microsoft Outlook 2000
> Microsoft Outlook 2002
> Microsoft Outlook 2003
>
>
> 1. OVERVIEW
> ===========
>
> Microsoft Outlook is a popular personal communication manager that
> provides end users with a unified place to manage e-mail, calendar
> and contact information.
>
> As part of its standard offering, Outlook also includes an Advanced
> Search facility (Finder.exe) enabling end-users to query any aspect
> of their repository information.
>
> Unfortunately, it transpires that Outlook/Finder is susceptible to
> a remote Buffer overflow vulnerability, when processing the contents
> of a specially crafted Office Saved Search (.oss) file.
>
>
> 2. TECHNICAL NARRATIVE
> ======================
>
> The issue in question stems from a simple oversight in the design of
> an intrinsic string manipulation function, which attempts to copy
> 1024 bytes of user supplied Unicode content, to a
> pre-allocated buffer
> of only 512 bytes (even though sufficient length checks are invoked).
>
> As the destination buffer is unable to accommodate the
> additional data,
> the net result is that of a classic stack overflow condition,
> in which
> Instruction Pointer (EIP) control is gained via one of several
> available return addresses.
>
>
> 3. EXPLOITATION
> ===============
>
> As with most file parsing vulnerabilities, the aforementioned issue
> will require a certain degree of social engineering to
> achieve successful
> exploitation.
>
> However, Office Saved Searches (.oss) file types share very similar
> display characteristics to that of harmless looking e-mail icons.
> As such, end-users could be fooled into thinking the attachment is
> a non-threatening mail forward.
>
>
>
> 4. VENDOR RESPONSE
> ==================
>
> The vendor security bulletin and corresponding patches are available
> at the following location:
>
>
>
>
> 5. DISCLOSURE ANALYSIS
> ======================
>
> 12/05/2006 Preliminary Vendor notification.
> 24/05/2006 Vulnerability confirmed by Vendor
> 16/10/2006 Public Disclosure Deferred by Vendor
> 09/01/2007 Public release.
>
> Total Time to Fix: 7 months 29 Days (243 days in total)
>
>
> 6. CREDIT
> =========
>
> The vulnerability was discovered by Stuart Pearson of
> Computer Terrorism
>
>
>
>
> ========================
> About Computer Terrorism
> ========================
>
> Computer Terrorism (UK) Ltd is a global provider of Digital Risk
> Intelligence services. Our unique approach to vulnerability risk
> assessment and mitigation has helped protect some of the worlds
> most at risk organisations.
>
> Headquartered in London, Computer Terrorism has
> representation throughout
> Europe & North America and can be reached at +44 (0) 870 250
> 9866 or email:-
>
> sales [at] computerterrorism.com
>
> To learn more about our services or to register for a FREE
> comprehensive
> website penetration test, visit: http:/www.computerterrorism.com
>
>
> Computer Terrorism (UK) :: Protection for a vulnerable world.
>
>
>
>
>
