TITLE:
Microsoft Outlook Express and Windows Mail Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA25639
VERIFY ADVISORY:
http://secunia.c
om/advisories/25639/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of sensitive information, System
access
WHERE:
>From remote
OPERATING SYSTEM:
Microsoft Windows XP Professional
http://secunia.com/pro
duct/22/
Microsoft Windows XP Home Edition
http://secunia.com/pro
duct/16/
Microsoft Windows Vista
http://secunia.com/
product/13223/
Microsoft Windows Storage Server 2003
http://secunia.com/
product/12399/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/p
roduct/1176/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/p
roduct/1173/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/p
roduct/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/p
roduct/1175/
SOFTWARE:
Microsoft Outlook Express 6
http://secunia.com/pr
oduct/102/
DESCRIPTION:
Some vulnerabilities have been reported in Microsoft Outlook
Express
and Windows Mail, which can be exploited by malicious people
to
disclose sensitive information and compromise a user's
system.
1) An error in Windows Mail within the handling of UNC
navigation
requests can be exploited to execute arbitrary code via a
local
file
or UNC path when a user clicks on a link in a specially
crafted
email
message.
2) An error in the MHTML protocol handler when returning
MHTML
content can be exploited to read data from another security
zone or
domain in Internet Explorer when a user visits a specially
crafted
web page.
3) An error exists in the MHTML protocol handler when
passing
Content-Disposition notifications back to Internet Explorer.
This can
be exploited to bypass the file download dialog box and to
read
data
from another Internet Explorer domain when a user visits a
specially
crafted web page.
SOLUTION:
Apply patches.
Windows XP SP2:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=27cca556-0872-4803-b61
0-4c895ceb99aa
Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsof
t.com/downloads/details.aspx?FamilyId=1ea813bf-bddb-40f0-896
0-b9debc8413e7
Windows Server 2003 SP1/SP2:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=93808a74-035c-4ab7-928
3-c693d7bd82be
Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsof
t.com/downloads/details.aspx?FamilyId=f63323a9-e285-45e5-84b
d-71ae9da126e3
Windows Server 2003 SP1/SP2 for Itanium-based systems:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=2e62e96e-6571-437d-a61
2-99175ac39025
Windows Vista:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=ee57de19-44ea-48f2-ae2
8-e76fd2018633
Windows Vista x64 Edition:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=343db20f-7794-4423-b11
d-885329fbdf78
ORIGINAL ADVISORY:
MS07-034 (KB929123):
http://www.microsoft.com/technet/security/bullet
in/ms07-034.mspx
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|
