|
Security Advisory : CT09-01-2007
Microsoft Outlook Advanced
Find - Remote Code Execution
| Severity: |
Critical
|
| Impact: |
Remote System
Access |
| Solution Status: |
Vendor Patch |
| CVE
Reference:
|
CVE-2007-0034 |
|
Advisory Date: |
11th January
2007 |
| |
|
|
Affected Software: |
Microsoft Outlook
2000
Microsoft Outlook 2002
Microsoft Outlook 2003 |
1. OVERVIEW
Microsoft Outlook is a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar
and contact information.
As part of its standard offering, Outlook also includes an Advanced
Search facility (Finder.exe) enabling end-users to query any aspect
of their repository information.
Unfortunately, it transpires that Outlook/Finder is susceptible to
a remote Buffer overflow vulnerability, when processing the contents
of a specially crafted Office Saved Search (.oss) file.
2. TECHNICAL NARRATIVE
The issue in question stems from a simple oversight in the design of
an intrinsic string manipulation function, which attempts to copy
1024 bytes of user supplied Unicode content, to a pre-allocated buffer
of only 512 bytes (even though sufficient length checks are invoked).
As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
return addresses.
3. EXPLOITATION
As with most file parsing vulnerabilities, the aforementioned issue
will require a certain degree of social engineering to achieve successful
exploitation.
However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons.
As such, end-users could be fooled into thinking the attachment is
a non-threatening mail forward.
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
following location:
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
5. DISCLOSURE ANALYSIS
12/05/2006 - Preliminary Vendor
notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.
Total Time to Fix: 7 months 29 Days (243 days in total)
6. CREDIT
The vulnerability was discovered
by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Home |
Contact Us |
Services |
News |
