Microsoft Outlook S/MIME Certificate Handling Flaw Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (E-mail Client) > Microsoft Outlook

Vendors: Microsoft

Microsoft Outlook S/MIME Certificate Handling Flaw Lets Remote Users Obtain Potentially Sensitive Information

SecurityTracker Alert ID: 1029328

SecurityTracker URL: http://securitytracker.com/id/1029328

CVE Reference: CVE-2013-3905 (Links to External Site)

Date: Nov 12 2013

Impact: Disclosure of system information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2007 SP3, 2010 SP1, 2010 SP2, 2013, 2013 RT

Description: A vulnerability was reported in Microsoft Outlook. A remote user can obtain potentially sensitive information.

The system does not properly handle the expansion of S/MIME certificate metadata. A remote user can send an e-mail message with a specially crafted certificate that, when loaded by the target user, will obtain information from the target user's system and network. This may include IP address and open TCP ports.

Alexander Klink of n.runs professionals GmbH reported this vulnerability.

Impact: A remote user can obtain potentially sensitive information, such as IP addresses and open TCP ports.

Solution: The vendor has issued the following fixes:

Microsoft Outlook 2007 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=fd5dc4b5-b188-4420-9d09-faf03507d8d5

Microsoft Outlook 2010 Service Pack 1 (32-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=2a3960f0-5094-45b4-9f63-180b991727dc

Microsoft Outlook 2010 Service Pack 2 (32-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=2a3960f0-5094-45b4-9f63-180b991727dc

Microsoft Outlook 2010 Service Pack 1 (64-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=74e035bb-cdcc-4ea6-a933-b4acd227ce85

Microsoft Outlook 2010 Service Pack 2 (64-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=74e035bb-cdcc-4ea6-a933-b4acd227ce85

Microsoft Outlook 2013 (32-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=ee644350-f64b-471a-a26b-79701b39a1b3

Microsoft Outlook 2013 (64-bit editions):

http://www.microsoft.com/downloads/details.aspx?familyid=7c83b545-42ed-49d8-980a-8c2ad11e6e3c

A restart may be required.

The Microsoft advisory is available at:

http://technet.microsoft.com/en-us/security/bulletin/ms13-094

Vendor URL: technet.microsoft.com/en-us/security/bulletin/ms13-094 (Links to External Site)

Cause: Access control error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC