Summary:
- This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail)
- How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack)
- Impact: An attacker can execute malicious code, potentially gaining full control of your users computer
- What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you
Exposure:
All versions of Windows ship with a free email client that allows you to retrieve your email from an email server. Older versions of Windows came with Outlook Express, while more recent versions come with Windows Mail or Windows Live Mail.
In a security bulletin released during patch day, Microsoft describes a new integer overflow vulnerability that affects Outlook Express and Windows Mail. By sending a specially crafted POP3 or IMAP response to one of your user’s email clients, an attacker can trigger this integer overflow flaw to execute code on that user’s computer, with that user’s privileges. As is typical with Windows vulnerabilities, if your users have local administrative privileges, the attacker could leverage this flaw to gain complete control of their PC.
However, in order to send a malicious POP3 or IMAP response to an email client, an attacker has to somehow convince their victim into configuring their mail client to connect to a malicious email server. That is a lot easier said than done. An attacker might also leverage this flaw using a man-in-the-middle attack. If the attacker could place himself between his victim and that victim’s email server, and the attacker could sniff all the victim’s email traffic, he could theoretically alter the real mail server’s response in a way that triggers this vulnerability. However, this sort of attack is also somewhat difficult to pull off in the real world. These factors lessen the risk of this vulnerability to some degree.
Solution Path:
Microsoft has released Outlook Express and Windows Mail updates to fix this vulnerability. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you.
- Windows 2000
- Windows XP
- Windows XP x64
- Windows Server 2003
- Windows Server 2003 x64
- Windows Server 2003 Itanium
- Windows Vista
- Windows Vista x64
- Windows Server 2008
- Windows Server 2008 x64
- Windows Server 2008 Itanium
- Windows 7
- Windows 7 x64
- Windows Server 2008 R2 x64
- Windows Server 2008 R2 Itanium
For All WatchGuard Users:
Some WatchGuard appliances include a POP3 proxy. It is often possible to configure WatchGuard’s proxies to block certain application layer attacks. However, to do this you usually need to know the vulnerability’s underlying technical details. Unfortunately, Microsoft’s bulletin doesn’t share any specific details about how an attacker might alter the POP3 and IMAP responses. Without these technical details, it’s hard to say whether or not our POP3 proxy can help. For that reason, Microsoft’s patches are your best solution.
Status:
Microsoft has released patches to fix this vulnerability.