Microsoft today issued patches for a pair of critical (remote code execution) vulnerabilities in Windows and Microsoft Office and urged affected users to apply the fixes as soon as possible.
The most serious issue, addressed in the MS10-030 bulletin, affects Outlook Express, Windows Mail and Windows Live Mail.
According to Microsoft, users running Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 all have an aggregate severity rating of “critical,” meaning that a successful attack could give a hacker complete access to the compromised computer.
Default installations of Windows 7 are not affected by this flaw because they do not include Windows Live Mail.
Here are some possible attack scenarios, via Microsoft’s SR&D blog:
- Man-in-the-middle: Attacker intercepts and manipulates a user’s POP3 or IMAP connection to a legitimate email server. (. In this scenario, the most likely attack vector involves an attacker attempting to intercept and modify legitimate POP3 or IMAP communications going across an untrusted network, such as a Wi-Fi hotspot in a coffee shop. However, this attack would not work if those POP3 or IMAP sessions used SSL, an option available in your email account configuration if your server supports it.
- Malicious e-mail server: Attacker entices a user to connect to a malicious email server using either the POP3 or IMAP protocol. This is a less likely attack vector that involves an attacker convincing or forcing a user to connect to a malicious email server. This requires significant social engineering, and so it is less likely to be successful. Forcing a user to connect to a malicious email server would require the attacker to be able to redirect the user’s connection attempt from a legitimate email server to a malicious one. However, to accomplish this attack, the attacker would either need access to the user’s local area network, or have some way to poison the DNS entry for the email server.
The vulnerability is a one-byte stack overwrite due to a code defect in text parsing code, with three additional conditions limiting attacker’s control:
- The byte being overwritten must be equal to 0x2e (46 decimal)
- The overwriting value is always zero
- No zero byte can be present between the parsing buffer and the byte being overwritten (0x2e)
In theory there are a few ways this vulnerability could be used in a successful exploit, yet all of them require very specific properties of the program (for an example: return address that does not start with 0x00 and includes 0x2e and after turning 0x2e into 0x00 points to a code usable by an exploit). Such properties, while possible, are unlikely to be found in practice.
In our analysis, we feel that consistent exploit code resulting in arbitrary code execution is not likely to be released within the next 30 days. However, following our general guidelines, we have classified this vulnerability as exploitable with possibility for code execution.
Windows users running older versions of the operating system should also note the expiration date for support as this affects the availability of security patches:
- Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many Microsoft customers are still on this version, and are encouraged to upgrade to Service Pack 3 or to Windows 7 as soon as possible.
- Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, Microsoft will no longer provide security or any other updates for Windows 2000.