‘Security Update for Outlook Express and Windows Mail (MS07-056)’

Summary

The vulnerability could allow remote code execution due to an incorrectly handled malformed NNTP response.

An attacker could exploit the vulnerability by constructing a specially crafted Web page.’

Credit:

‘The information has been provided by Microsoft Security Bulletin MS07-056.
The original article can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx


Details

Affected Software:
 * Microsoft Windows 2000 Service Pack 4
  * Outlook Express 5.5 Service Pack 2
 * Microsoft Windows 2000 Service Pack 4
  * Outlook Express 6 Service Pack 1
 * Windows XP Service Pack 2
  * Microsoft Outlook Express 6
 * Windows XP Professional x64 Edition Service Pack 2
  * Microsoft Outlook Express 6
 * Windows Server 2003 Service Pack 1
  * Microsoft Outlook Express 6
 * Windows Server 2003 Service Pack 2
  * Microsoft Outlook Express 6
 * Windows Server 2003 x64 Edition
  * Microsoft Outlook Express 6
 * Windows Server 2003 x64 Edition Service Pack 2
  * Microsoft Outlook Express 6
 * Windows Server 2003 with SP1 for Itanium-based Systems
  * Microsoft Outlook Express 6
 * Windows Server 2003 with SP2 for Itanium-based Systems
  * Microsoft Outlook Express 6
 * Windows Vista
  * Windows Mail
 * Windows Vista x64 Edition
  * Windows Mail

Network News Transfer Protocol Memory Corruption Vulnerability:
A remote code execution vulnerability exists in Outlook Express and Windows Mail for Microsoft Vista, due to an incorrectly handled malformed NNTP response. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Mitigating Factors for Network News Transfer Protocol Memory Corruption Vulnerability:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

 * In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability In addition, Web sites that accept or host user-provided content, or compromised Web sites and advertisement servers could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

 * An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 * Internet Explorer 7 Protect Mode on Microsoft Windows Vista displays a warning dialogue that a Web page is attempting to access Windows Mail. The user would have to click allow before the vulnerability could be exploited.

Workarounds for Network News Transfer Protocol Memory Corruption:
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

 * Disable news protocol handler.

You can disable the news protocol handler by removing the application associated with it in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOTnewsshellopencommand]
@=”

[HKEY_CLASSES_ROOTsnewsshellopencommand]
@=”

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

 * Group Policy collection

 * What is Group Policy Object Editor?

 * Core Group Policy tools and settings

Impact of workaround: This workaround removes the associated application that is used to run NNTP.

 * Remove News Accounts.
Removing all registered news accounts in Outlook Express or Windows Mail client.
1. In Windows Mail or Outlook Express select the Tools menu and then Accounts
2. Select a News account and click remove then OK or Yes
3. Repeat step 2 for all News accounts

Impact of workaround:Removing newsgroups that have been registered will make them unavailable for use unless you reregister them again.

FAQ for Network News Transfer Protocol Memory Corruption:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

What causes the vulnerability?
The vulnerability is present due to incorrect handling of malformed responses in the Network News Transfer Protocol (NNTP).

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability and then convince a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. In no case, however, would an attacker have a way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker’s Web site.

What systems are primarily at risk from the vulnerability?
These vulnerabilities require that a user is logged on and visits a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from these vulnerabilities.

What does the update do?
The update removes the vulnerability by changing the news client to handle malformed responses correctly.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

CVE Information:
CVE-2007-3897.’

Categories: Windows