Computer Terrorism (UK) :: Incident Response Centre www.computerterrorism.com Security Advisory: CT09-01-2007 ======================================================= Microsoft Outlook Advanced Find - Remote Code Execution ======================================================= Advisory Date: 11th January 2007 Severity: Critical Impact: Remote System Access Solution Status: Vendor Patch CVE Reference: CVE-2007-0034 Affected Software ================= Microsoft Outlook 2000 Microsoft Outlook 2002 Microsoft Outlook 2003 1. OVERVIEW =========== Microsoft Outlook is a popular personal communication manager that provides end users with a unified place to manage e-mail, calendar and contact information. As part of its standard offering, Outlook also includes an Advanced Search facility (Finder.exe) enabling end-users to query any aspect of their repository information. Unfortunately, it transpires that Outlook/Finder is susceptible to a remote Buffer overflow vulnerability, when processing the contents of a specially crafted Office Saved Search (.oss) file. 2. TECHNICAL NARRATIVE ====================== The issue in question stems from a simple oversight in the design of an intrinsic string manipulation function, which attempts to copy 1024 bytes of user supplied Unicode content, to a pre-allocated buffer of only 512 bytes (even though sufficient length checks are invoked). As the destination buffer is unable to accommodate the additional data, the net result is that of a classic stack overflow condition, in which Instruction Pointer (EIP) control is gained via one of several available return addresses. 3. EXPLOITATION =============== As with most file parsing vulnerabilities, the aforementioned issue will require a certain degree of social engineering to achieve successful exploitation. However, Office Saved Searches (.oss) file types share very similar display characteristics to that of harmless looking e-mail icons. As such, end-users could be fooled into thinking the attachment is a non-threatening mail forward. 4. VENDOR RESPONSE ================== The vendor security bulletin and corresponding patches are available at the following location: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx 5. DISCLOSURE ANALYSIS ====================== 12/05/2006 Preliminary Vendor notification. 24/05/2006 Vulnerability confirmed by Vendor 16/10/2006 Public Disclosure Deferred by Vendor 09/01/2007 Public release. Total Time to Fix: 7 months 29 Days (243 days in total) 6. CREDIT ========= The vulnerability was discovered by Stuart Pearson of Computer Terrorism ======================== About Computer Terrorism ======================== Computer Terrorism (UK) Ltd is a global provider of Digital Risk Intelligence services. Our unique approach to vulnerability risk assessment and mitigation has helped protect some of the worlds most at risk organisations. Headquartered in London, Computer Terrorism has representation throughout Europe & North America and can be reached at +44 (0) 870 250 9866 or email:- sales [at] computerterrorism.com To learn more about our services or to register for a FREE comprehensive website penetration test, visit: http:/www.computerterrorism.com Computer Terrorism (UK) :: Protection for a vulnerable world.