Vulnerabilities > CVE-2008-3068 - Remote Information Disclosure vulnerability in Microsoft Crypto API X.509 Certificate Validation
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.
Vulnerable Configurations
References
- http://securityreason.com/securityalert/3978
- http://www.securityfocus.com/archive/1/493947/100/0/threaded
- http://www.securityfocus.com/archive/1/494101/100/0/threaded
- http://www.securityfocus.com/bid/28548
- http://www.securitytracker.com/id?1019736
- http://www.securitytracker.com/id?1019737
- http://www.securitytracker.com/id?1019738
- https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
- https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
- https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
- https://www.cynops.de/techzone/http_over_x509.html
- https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt
- https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt
- https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt