Internet Security

Skip to Main Content »

Have a Question? Call Us!
Toll Free: 877.449.5102

Welcome to NTSecurity.com

You're currently on:

Code Execution Vulnerability in Outlook Express and Windows Mail

12/02/2012 This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail). How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack). Impact: An attacker can execute malicious code, potentially gaining full control of your users computer. What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you

Summary:

  • This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail)
  • How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack)
  • Impact: An attacker can execute malicious code, potentially gaining full control of your users computer
  • What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you

Exposure:

All versions of Windows ship with a free email client that allows you to retrieve your email from an email server. Older versions of Windows came with Outlook Express, while more recent versions come with Windows Mail or Windows Live Mail.

In a security bulletin released during patch day, Microsoft describes a new integer overflow vulnerability that affects Outlook Express and Windows Mail. By sending a specially crafted POP3 or IMAP response to one of your user’s email clients, an attacker can trigger this integer overflow flaw to execute code on that user’s computer, with that user’s privileges. As is typical with Windows vulnerabilities, if your users have local administrative privileges, the attacker could leverage this flaw to gain complete control of their PC.

However, in order to send a malicious POP3 or IMAP response to an email client, an attacker has to somehow convince their victim into configuring their mail client to connect to a malicious email server. That is a lot easier said than done. An attacker might also leverage this flaw using a man-in-the-middle attack. If the attacker could place himself between his victim and that victim’s email server, and the attacker could sniff all the victim’s email traffic, he could theoretically alter the real mail server’s response in a way that triggers this vulnerability. However, this sort of attack is also somewhat difficult to pull off in the real world. These factors lessen the risk of this vulnerability to some degree.

Solution Path:

Microsoft has released Outlook Express and Windows Mail updates to fix this vulnerability. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

Some WatchGuard appliances include a POP3 proxy. It is often possible to configure WatchGuard’s proxies to block certain application layer attacks. However, to do this you usually need to know the vulnerability’s underlying technical details. Unfortunately, Microsoft’s bulletin doesn’t share any specific details about how an attacker might alter the POP3 and IMAP responses. Without these technical details, it’s hard to say whether or not our POP3 proxy can help. For that reason, Microsoft’s patches are your best solution.

Status:

Microsoft has released patches to fix this vulnerability.

References:

 4.25 out of 5 based on 2 reviews

Code Execution Vulnerability in Outlook Express and Windows Mail

12/02/2012

Summary:

  • This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail)
  • How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack)
  • Impact: An attacker can execute malicious code, potentially gaining full control of your users computer
  • What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you

Exposure:

All versions of Windows ship with a free email client that allows you to retrieve your email from an email server. Older versions of Windows came with Outlook Express, while more recent versions come with Windows Mail or Windows Live Mail.

In a security bulletin released during patch day, Microsoft describes a new integer overflow vulnerability that affects Outlook Express and Windows Mail. By sending a specially crafted POP3 or IMAP response to one of your user’s email clients, an attacker can trigger this integer overflow flaw to execute code on that user’s computer, with that user’s privileges. As is typical with Windows vulnerabilities, if your users have local administrative privileges, the attacker could leverage this flaw to gain complete control of their PC.

However, in order to send a malicious POP3 or IMAP response to an email client, an attacker has to somehow convince their victim into configuring their mail client to connect to a malicious email server. That is a lot easier said than done. An attacker might also leverage this flaw using a man-in-the-middle attack. If the attacker could place himself between his victim and that victim’s email server, and the attacker could sniff all the victim’s email traffic, he could theoretically alter the real mail server’s response in a way that triggers this vulnerability. However, this sort of attack is also somewhat difficult to pull off in the real world. These factors lessen the risk of this vulnerability to some degree.

Solution Path:

Microsoft has released Outlook Express and Windows Mail updates to fix this vulnerability. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

Some WatchGuard appliances include a POP3 proxy. It is often possible to configure WatchGuard’s proxies to block certain application layer attacks. However, to do this you usually need to know the vulnerability’s underlying technical details. Unfortunately, Microsoft’s bulletin doesn’t share any specific details about how an attacker might alter the POP3 and IMAP responses. Without these technical details, it’s hard to say whether or not our POP3 proxy can help. For that reason, Microsoft’s patches are your best solution.

Status:

Microsoft has released patches to fix this vulnerability.

References:

Rating :
4.25 out of 5