Vulnerabilities > CVE-2007-2225 - Information Disclosure vulnerability in Microsoft Outlook Express and Windows Mail

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
microsoft
nessus

Summary

A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability."

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-034.NASL
descriptionThe remote host is running a version of Microsoft Outlook Express with several security flaws that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.
last seen2020-06-01
modified2020-06-02
plugin id25487
published2007-06-12
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25487
titleMS07-034: Cumulative Security Update for Outlook Express and Windows Mail (929123)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25487);
 script_version("1.33");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id(
  "CVE-2006-2111",
  "CVE-2007-1658",
  "CVE-2007-2225",
  "CVE-2007-2227"
 );
 script_bugtraq_id(17717, 23103, 24392, 24410);
 script_xref(name:"MSFT", value:"MS07-034");
 script_xref(name:"MSKB", value:"929123");
 
 script_xref(name:"CERT", value:"682825");
 script_xref(name:"CERT", value:"783761");
 script_xref(name:"EDB-ID", value:"27745");
 script_xref(name:"EDB-ID", value:"29771");

 script_name(english:"MS07-034: Cumulative Security Update for Outlook Express and Windows Mail (929123)");
 script_summary(english:"Determines the presence of update 929123");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the email
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Outlook Express with
several security flaws that could allow an attacker to execute arbitrary
code on the remote host.

To exploit this flaw, an attacker would need to send a malformed email
to a victim on the remote host and have him open it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-034");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Outlook Express and Windows
Mail.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(200);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/28");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/06/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-034';
kb = '929123';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'2', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Inetcomm.dll", version:"6.0.6000.16480", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Inetcomm.dll", version:"6.0.3790.4073", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Inetcomm.dll", version:"6.0.3790.2929", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Inetcomm.dll", version:"6.0.2900.3138", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2012-09-10T04:00:46.413-04:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameChandan S
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows XP SP1 (64-bit) is installed
    ovaloval:org.mitre.oval:def:480
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
descriptionA component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability."
familywindows
idoval:org.mitre.oval:def:2045
statusaccepted
submitted2007-06-13T08:22:59.000-04:00
titleURL Parsing Cross Domain Information Disclosure Vulnerability
version71

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24392 CVE(CAN) ID: CVE-2007-2225 Outlook Express是Microsoft Windows操作系统捆绑的邮件和新闻组客户端。 Windows的MHTML协议处理器在返回MHTML内容时没有正确的解释HTTP头,这可能允许Internet Explorer绕过域限制。 攻击者可以通过构建特制的网页来利用该漏洞。如果用户使用Internet Explorer查看网页,该漏洞可能允许信息泄露。成功利用此漏洞的攻击者可以读取另一个Internet Explorer域中的数据。 Microsoft Outlook Express 6.0 Microsoft Windows Mail 临时解决方法: * 禁用MHTML协议处理程序: 1. 单击“开始”,然后单击“运行 ”。在文本框中输入regedit.exe,然后单击“确定”。 2. 导航到HKEY_CLASSES_ROOT\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}。 3. 右键单击{05300401-BCBC-11d0-85E3-00C04FD85AB4},然后选择“权限”。 4. 单击“高级”。 5. 取消选中“允许将来自父级的可继承权限传播给该对象 6. 单击“删除”,然后单击“确定”。 在后续屏幕上单击“是”和“确定”。 * 将Internet和本地intranet安全区设置为“高”以在运行活动脚本之前要求提示。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-034)以及相应补丁: MS07-034:Cumulative Security Update for Outlook Express and Windows Mail (929123) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/ms07-034.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/ms07-034.mspx?pf=true</a>
idSSV:2681
last seen2017-11-19
modified2007-12-26
published2007-12-26
reporterRoot
titleMicrosoft Outlook Express MHTML URL解析信息泄露漏洞(MS07-034)