|
|
|
|
| |
Credit:
The information has been provided by Francis Provencher.
The original article can be found at: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=13
|
| |
Vulnerable Systems:
* Microsoft Outlook Express on Windows XP
* Microsoft Outlook Express on Windows Vista
* Microsoft Outlook Express on Windows 2000
* Microsoft Outlook Express on Windows Server 2003
* Microsoft Outlook Express on Windows Server 2008 SR2
* Microsoft Windows Mail on Windows XP
* Microsoft Windows Mail on Windows Vista
* Microsoft Windows Mail on Windows 2000
* Microsoft Windows Mail on Windows Server 2003
* Microsoft Windows Mail on Windows Server 2008 SR2
An unauthenticated remote code execution vulnerability exists in the way that the Windows Mail Client software handles specially crafted mail responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted response to a client initiating a connection to a server under his control using the common mail protocols. The vulnerability is caused by a common library used by Outlook Express and Windows Mail insufficiently validating network data before using that data to calculate the necessary size of a buffer.
Patch Availability:
Please refer to:
http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx
CVE Information:
CVE-2010-0816
Disclosure Timeline:
2009-11-09 Vendor Contacted
2009-11-09 Vendor Response
2009-11-24 Vendor confirm the vulnerability
2010-05-11 Public release of this advisory
|
|
|
|
|
