HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-33
Microsoft Outlook Express when using a Windows Address Book File Vulnerability

Original Issue Date: April 12, 2006

Severity Rating: Medium

Systems Affected

  • Outlook Express 6 on Windows Server 2003 and Windows Server 2003 Service Pack 1
  • Outlook Express 6 on Windows Server 2003 x64 Edition
  • Outlook Express 6 Windows Server 2003 on Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Outlook Express 6 on Windows XP Service Pack 2
  • Outlook Express 6 on Windows XP Professional x64 Edition
  • Outlook Express 6 Service Pack 1 on Windows XP Service Pack 1 or when installed on Windows 2000 Service Pack 4
  • Outlook Express 5.5 Service Pack 2 on Windows 2000 Service Pack 4
 

Overview

A remote code execution vulnerability exists in Outlook Express when using a Windows Address Book (.wab) file that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Description

The WAB (Windows Address Book) is an application and service that enables users to keep track of people.  

An unchecked buffer in the Windows Address Book (WAB) functions within Outlook Express causes remote code execution and allows the attacker to take complete control of the affected system.

An attacker could exploit the vulnerability by sending a specially-crafted .wab file to the user and persuading the user to open the file or hosting a Web site that contains a Web page that is used to attempt to exploit this vulnerability and persuading the user to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. In order for the exploit to take place, the user would have to save the .wab file to the desktop and open it using Outlook Express.

Workarounds

Back up and remove the .wab file association. Removing the
WAB registry key helps protect the affected system from attempts to exploit this vulnerability.

Solution:

Apply appropriate patch as mentioned in MS security Bulletin MS06-016

Vendor information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx

References

Secunia:
http://secunia.com/advisories/19617/

Security Focus:
http://www.securityfocus.com/bid/17459/info

Security Tracker: http://www.securitytracker.com/alerts/2006/Apr/1015898.html

FrSirt:
http://www.frsirt.com/english/advisories/2006/1321

http://www.zerodayinitiative.com/advisories/ZDI-06-007.html

CVE Name
CVE-2006-0014

Revisions:
March 24, 2006: Workarounds, Vendor Information and CVE Name.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003