|
|
| |
Credit:
The information has been provided by The Zero Day Initiative (ZDI).
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-07-042.html
|
| |
The specific flaw resides in IMailsec.dll while attempting to authenticate users. The affected component is used by multiple services that listen on a default installation. The authentication mechanism copies user-supplied data into fixed length heap buffers using the lstrcpyA() function. The unbounded copy operation can cause a memory corruption resulting in an exploitable condition.
Vendor Response:
Ipswitch has issued an update to correct this vulnerability. More details can be found at: http://www.ipswitch.com/support/imail/releases/im200621.asp
Disclosure Timeline:
2007.02.26 - Vulnerability reported to vendor
2007.07.24 - Digital Vaccine released to TippingPoint customers
2007.07.24 - Coordinated public release of advisory
CVE Information:
CVE-2007-2795
|
|
|
