Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: c07-1826.htm

Microsoft Outlook Vulnerability
Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability
Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability

Computer Terrorism  (UK) :: Incident Response Centre 

Security Advisory: CT09-01-2007

======================================================Microsoft Outlook Advanced Find - Remote Code Execution
Advisory Date: 11th January 2007

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference:  CVE-2007-0034

Affected Software
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003

Microsoft Outlook is a popular personal communication manager that 
provides end users with a unified place to manage e-mail, calendar 
and contact information.

As part of its standard offering, Outlook also includes an Advanced 
Search facility (Finder.exe) enabling end-users to query any aspect 
of their repository information.

Unfortunately, it transpires that Outlook/Finder is susceptible to 
a remote Buffer overflow vulnerability, when processing the contents 
of a specially crafted Office Saved Search (.oss) file.

The issue in question stems from a simple oversight in the design of 
an intrinsic string manipulation function, which attempts to copy 
1024 bytes of user supplied Unicode content, to a pre-allocated buffer 
of only 512 bytes (even though sufficient length checks are invoked).

As the destination buffer is unable to accommodate the additional data, 
the net result is that of a classic stack overflow condition, in which 
Instruction Pointer (EIP) control is gained via one of several 
available return addresses.

As with most file parsing vulnerabilities, the aforementioned issue 
will require a certain degree of social engineering to achieve successful 

However, Office Saved Searches (.oss) file types share very similar 
display characteristics to that of harmless looking e-mail icons. 
As such, end-users could be fooled into thinking the attachment is 
a non-threatening mail forward.

The vendor security bulletin and corresponding patches are available 
at the following location: 

12/05/2006  Preliminary Vendor notification.
24/05/2006  Vulnerability confirmed by Vendor 
16/10/2006  Public Disclosure Deferred by Vendor
09/01/2007  Public release.

Total Time to Fix: 7 months 29 Days (243 days in total)

The vulnerability was discovered by Stuart Pearson of Computer Terrorism

=======================About Computer Terrorism
Computer Terrorism (UK) Ltd is a global provider of Digital Risk 
Intelligence services. Our unique approach to vulnerability risk 
assessment and mitigation has helped protect some of the worlds 
most at risk organisations.

Headquartered in London, Computer Terrorism has representation throughout 
Europe & North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at]

To learn more about our services or to register for a FREE comprehensive 
website penetration test, visit: http:/ 

Computer Terrorism (UK) :: Protection for a vulnerable world.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH