The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Outlook Express

cybersecurity weakness CVE-2010-0816

Outlook Express, Windows Mail: code execution

Synthesis of the vulnerability

An attacker can setup a malicious POP/IMAP server, and invite the victim to connect with Outlook Express or Windows Mail, in order to execute code on his computer.
Severity: 3/4.
Creation date: 11/05/2010.
Identifiers: 978542, BID-39927, CERTA-2010-AVI-205, CVE-2010-0816, MS10-030, VIGILANCE-VUL-9635.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Outlook Express or Windows Mail messaging clients can connect to servers implementing the POP or IMAP protocol.

The POP or IMAP protocol can be used to know the number of messages stored on the server, via the STAT command for example. However, when Outlook Express or Windows Mail client receives this number, it does not check it before allocating a memory area. A POP/IMAP server can therefore return a high message number, in order to corrupt the memory of the Windows client.

An attacker can therefore setup a malicious POP/IMAP server, and invite the victim to connect with Outlook Express or Windows Mail, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2008-0015 CVE-2008-0020 CVE-2009-0901

Windows, IE, OE, Media: code execution via ATL

Synthesis of the vulnerability

Several vulnerabilities of Microsoft ATL (Active Template Library) impact Microsoft products.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/08/2009.
Identifiers: 973908, BID-35558, BID-35982, CERTA-2009-AVI-278, CERTA-2009-AVI-300, CERTA-2009-AVI-325, CERTA-2009-AVI-435, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2009-AVI-538, CERTA-2010-AVI-083, CVE-2008-0015, CVE-2008-0020, CVE-2009-0901, CVE-2009-2493, CVE-2009-2494, MS09-037, VIGILANCE-VUL-8937, VU#180513.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Visual Studio development environment provides the ATL (Active Template Library) library, which is used to create ActiveX, and contains several vulnerabilities described in VIGILANCE-VUL-8895. Several ActiveX produced by Microsoft are linked to ATL, and are thus also impacted by these vulnerabilities. Moreover, some products are linked to a private version of ATL and are impacted by vulnerabilities which do not impact the public version of Visual Studio.

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the CComVariant::ReadFromStream() function. This vulnerability leads to code execution, and was described in VIGILANCE-VUL-8841. [severity:4/4; BID-35558, CERTA-2009-AVI-278, CERTA-2009-AVI-325, CVE-2008-0015, VU#180513]

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the IPersistStreamInit::Load() function. This vulnerability leads to code execution. [severity:4/4; CVE-2008-0020]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-0901 vulnerability described in VIGILANCE-VUL-8895, which can be used to execute code. [severity:4/4; CERTA-2009-AVI-300, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2010-AVI-083, CVE-2009-0901]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-2493 vulnerability described in VIGILANCE-VUL-8895, which can be used to instanciate all ActiveX (even those with the Kill Bit). [severity:4/4; CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493]

Several Microsoft ActiveX are linked to a private version of ATL, which contains a vulnerability in the handling of Variants, and leads to code execution. [severity:4/4; BID-35982, CVE-2009-2494]

An attacker can therefore create an HTML page containing one of these ActiveX in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2008-0015

IE: buffer overflow of Microsoft Video Control MPEG2TuneRequest

Synthesis of the vulnerability

An attacker can invite the victim to see an HTML page in order to generate an overflow in the Microsoft Video Control MPEG2TuneRequest ActiveX, leading to code execution.
Severity: 3/4.
Creation date: 06/07/2009.
Revision date: 07/07/2009.
Identifiers: 972890, 973346, 973908, BID-35558, CVE-2008-0015, MS09-032, MS09-037, VIGILANCE-VUL-8841, VU#180513.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The msvidctl.dll DLL uses Microsoft DirectShow filters to manipulate a video document, and contains 45 ActiveX. These ActiveX are not conceived to be used from Internet Explorer, however, they are tagged as "Safe for initialisation and scripting".

One of these ActiveX (MPEG2TuneRequest) does not correctly validate data coming from the video document before using them, which generates a buffer overflow.

An attacker can therefore invite the victim to see an HTML page calling this ActiveX, in order to generate an overflow, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

security weakness CVE-2008-5424 CVE-2008-5425 CVE-2008-5426

MIME: denial of service by encapsulation

Synthesis of the vulnerability

An attacker can create an email containing deep MIME encapsulations in order to create a denial of service in several applications.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 09/12/2008.
Identifiers: BID-32702, CVE-2008-5424, CVE-2008-5425, CVE-2008-5426, CVE-2008-5427, CVE-2008-5428, VIGILANCE-VUL-8296.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An email can contain several parts separated by MIME headers. Each part can also contain data encapsulated with MIME headers.

Some software do not limit the number of encapsulation. An attacker can therefore send an email containing several thousand parts in order to create a denial of service.

Here is a list of impacted software:
  Microsoft Outlook Express 6
  Opera Version: 9.51
  Norton Internet Security Version 15
  Kaspersky Internet Security 2009

This vulnerability type is old, and has for example impacted Sendmail (VIGILANCE-VUL-5924) and ClamAV (VIGILANCE-VUL-6398).
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2007-3897

Outlook Express, Windows Mail: buffer overflow via NNTP

Synthesis of the vulnerability

An attacker can setup a malicious NNTP server in order to execute code on computer of victims who connect to this server.
Severity: 4/4.
Creation date: 10/10/2007.
Revision date: 16/10/2007.
Identifiers: 941202, BID-25908, CERTA-2007-AVI-431, CVE-2007-3897, MS07-056, VIGILANCE-VUL-7218.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Outlook Express and Windows Mail messaging clients implement the NNTP (Network News Transfer Protocol) protocol. When user clicks on a "nntp:", "news:" or "snews:" uri, the messaging client is launched. This client can also be called when a HTML page with an image with a such uri is displayed.

The NNTP protocol uses an exchange of queries and responses. For example:
  response : 200 serveur
  query : GROUP g.g.g
  response : 211 1 1003 1265 g.g.g
  query : XHDR subject 1003-1265
  response: subject of requested range
  etc.
This exchange occurs when client connects to server, without having to wait for user to enter a login for example.

However, when size of XHDR response is too long, a buffer overflow occurs in Outlook Express or Windows Mail. This overflow leads to code execution.

An attacker can therefore invite victim to connect to a NNTP server or to display a malicious HTML page in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2006-2111 CVE-2007-1658 CVE-2007-2225

OE, Windows Mail: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Outlook Express or Windows Mail lead to information disclosure or to code execution.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 13/06/2007.
Revision date: 22/06/2007.
Identifiers: 929123, BID-17717, BID-23103, BID-24392, BID-24410, CERTA-2007-AVI-259, CVE-2006-2111, CVE-2007-1658, CVE-2007-2225, CVE-2007-2227, MS07-034, VIGILANCE-VUL-6907, VU#682825, VU#783761.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Outlook Express or Windows Mail.

An attacker can create a website using a redirection and a mhtml: uri in order to access data of another web site (VIGILANCE-VUL-6253). [severity:3/4; BID-17717, BID-24392, CERTA-2007-AVI-259, CVE-2006-2111, VU#783761]

When user clicks on a command which has the same name as a directory, it is executed without warning (VIGILANCE-VUL-6679). [severity:3/4; BID-23103, CVE-2007-1658]

When victim clicks on a MHTML link, zone restrictions can be bypassed. [severity:3/4; CVE-2007-2225, VU#682825]

When victim clicks on a MHTML link, the download dialog box can be bypassed, by using a special Content-Disposition header. [severity:3/4; BID-24410, CVE-2007-2227]
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2007-1658

Windows Mail: command execution

Synthesis of the vulnerability

When user clicks on a command which has the same name as a directory, it is executed without warning.
Severity: 1/4.
Creation date: 23/03/2007.
Identifiers: 929123, BID-23103, CVE-2007-1658, MS07-034, VIGILANCE-VUL-6679.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

When user receives an email containing a link to a local program, and clicks on this link, a warning dialog is displayed in Windows Mail client.

However, when a directory with the same name exists, there is no warning dialog.

For example, Windows Vista creates following commands and directories:
 - Windows Remote Management :
    c:/windows/system32/winrm/
    c:/windows/system32/winrm.cmd
 - Migration Wizard :
    c:/windows/system32/migwiz/
    c:/windows/system32/migwiz.cmd

An attacker can therefore invite user to click on a link to automatically start these softwares. Currently, no way to give parameters to program has been found.
Full Vigil@nce bulletin... (Free trial)

threat announce CVE-2006-2386

Outlook Express: buffer overflow of WAB

Synthesis of the vulnerability

A malicious WAB file generates an overflow and leads to code execution.
Severity: 3/4.
Creation date: 13/12/2006.
Identifiers: 923694, BID-21501, CERTA-2006-AVI-548, CVE-2006-2386, MS06-076, VIGILANCE-VUL-6393.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Files with ".wab" extension are used by Windows Address Book.

When Outlook Express opens a malicious WAB file, a buffer overflow occurs.

This vulnerability therefore permits an attacker to execute code on computer of users accepting to open a WAB file.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2006-2111

Outlook Express, Internet Explorer: access to data of another site via mhtml

Synthesis of the vulnerability

An attacker can create a website using a redirection and a mhtml: uri in order to access data of another web site.
Severity: 2/4.
Creation date: 26/10/2006.
Revision date: 27/10/2006.
Identifiers: 929123, BID-17717, CVE-2006-2111, MS07-034, VIGILANCE-VUL-6253.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The extensions of MHTML type (MIME HTML) are installed with Outlook Express, and then become available to other softwares such as Internet Explorer. So, when a HTML document contains a "mhtml:" uri, Internet Explorer calls Outlook Express.

Outlook Express does not correctly check the source of the document. When a HTTP redirection is used, the document is opened in the context of the new website.

This vulnerability therefore permits an attacker to access to information of site, as seen by the user.
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2006-2766

Outlook Express: buffer overflow of a MHTML uri

Synthesis of the vulnerability

An attacker can create a document with a long MHTML uri in order to execute code on user's computer.
Severity: 4/4.
Creation date: 09/08/2006.
Identifiers: 920214, BID-18198, CERTA-2006-AVI-341, CVE-2006-2766, MS06-043, VIGILANCE-VUL-6067, VU#891204.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The extensions of MHTML type (MIME HTML) are installed with Outlook Express, and then become available to other softwares such as Internet Explorer.

However, size of uri like "mhtml://mid:" is not checked. An attacker can thus generate an overflow.

This vulnerability therefore permits an attacker to execute code with rights of users accepting to click on a link.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.