• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Code Execution Vulnerability in Outlook Express and Windows Mail

May 11, 2010 By The Editor

Summary:

  • This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail)
  • How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack)
  • Impact: An attacker can execute malicious code, potentially gaining full control of your users computer
  • What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you

Exposure:

All versions of Windows ship with a free email client that allows you to retrieve your email from an email server. Older versions of Windows came with Outlook Express, while more recent versions come with Windows Mail or Windows Live Mail.

In a security bulletin released during patch day, Microsoft describes a new integer overflow vulnerability that affects Outlook Express and Windows Mail. By sending a specially crafted POP3 or IMAP response to one of your user’s email clients, an attacker can trigger this integer overflow flaw to execute code on that user’s computer, with that user’s privileges. As is typical with Windows vulnerabilities, if your users have local administrative privileges, the attacker could leverage this flaw to gain complete control of their PC.

However, in order to send a malicious POP3 or IMAP response to an email client, an attacker has to somehow convince their victim into configuring their mail client to connect to a malicious email server. That is a lot easier said than done. An attacker might also leverage this flaw using a man-in-the-middle attack. If the attacker could place himself between his victim and that victim’s email server, and the attacker could sniff all the victim’s email traffic, he could theoretically alter the real mail server’s response in a way that triggers this vulnerability. However, this sort of attack is also somewhat difficult to pull off in the real world. These factors lessen the risk of this vulnerability to some degree.

Solution Path:

Microsoft has released Outlook Express and Windows Mail updates to fix this vulnerability. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you.

  • Windows 2000
    • Outlook Express 5.5
    • Outlook Express 6
  • Windows XP
    • Outlook Express 6
    • Windows Live Mail
  • Windows XP x64
    • Outlook Express 6
    • Windows Live Mail
  • Windows Server 2003
    • Outlook Express 6
  • Windows Server 2003 x64
    • Outlook Express 6
  • Windows Server 2003 Itanium
    • Outlook Express 6
  • Windows Vista
    • Windows Mail
    • Windows Live Mail
  • Windows Vista x64
    • Windows Mail
    • Windows Live Mail
  • Windows Server 2008
    • Windows Mail
    • Windows Live Mail
  • Windows Server 2008 x64
    • Windows Mail
    • Windows Live Mail
  • Windows Server 2008 Itanium
    • Windows Mail
    • Windows Live Mail
  • Windows 7
    • Windows Mail
    • Windows Live Mail
  • Windows 7 x64
    • Windows Mail
    • Windows Live Mail
  • Windows Server 2008 R2 x64
    • Windows Mail
    • Windows Live Mail
  • Windows Server 2008 R2 Itanium
    • Windows Mail
    • Windows Live Mail

For All WatchGuard Users:

Some WatchGuard appliances include a POP3 proxy. It is often possible to configure WatchGuard’s proxies to block certain application layer attacks. However, to do this you usually need to know the vulnerability’s underlying technical details. Unfortunately, Microsoft’s bulletin doesn’t share any specific details about how an attacker might alter the POP3 and IMAP responses. Without these technical details, it’s hard to say whether or not our POP3 proxy can help. For that reason, Microsoft’s patches are your best solution.

Status:

Microsoft has released patches to fix this vulnerability.

References:

  • MS Security Bulletin MS10-030

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft, outlook, outlook express, windows mail

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Hacker Summer Camp 2022
  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use