Microsoft Outlook S/MIME Certificate Handling Flaw Lets Remote Users Obtain Potentially Sensitive Information
|
SecurityTracker Alert ID: 1029328 |
SecurityTracker URL: http://securitytracker.com/id/1029328
|
CVE Reference:
CVE-2013-3905
(Links to External Site)
|
Date: Nov 12 2013
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2007 SP3, 2010 SP1, 2010 SP2, 2013, 2013 RT
|
Description:
A vulnerability was reported in Microsoft Outlook. A remote user can obtain potentially sensitive information.
The system does not properly handle the expansion of S/MIME certificate metadata. A remote user can send an e-mail message with a specially crafted certificate that, when loaded by the target user, will obtain information from the target user's system and network. This may include IP address and open TCP ports.
Alexander Klink of n.runs professionals GmbH reported this vulnerability.
|
Impact:
A remote user can obtain potentially sensitive information, such as IP addresses and open TCP ports.
|
Solution:
The vendor has issued the following fixes:
Microsoft Outlook 2007 Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=fd5dc4b5-b188-4420-9d09-faf03507d8d5
Microsoft Outlook 2010 Service Pack 1 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=2a3960f0-5094-45b4-9f63-180b991727dc
Microsoft Outlook 2010 Service Pack 2 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=2a3960f0-5094-45b4-9f63-180b991727dc
Microsoft Outlook 2010 Service Pack 1 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=74e035bb-cdcc-4ea6-a933-b4acd227ce85
Microsoft Outlook 2010 Service Pack 2 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=74e035bb-cdcc-4ea6-a933-b4acd227ce85
Microsoft Outlook 2013 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=ee644350-f64b-471a-a26b-79701b39a1b3
Microsoft Outlook 2013 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=7c83b545-42ed-49d8-980a-8c2ad11e6e3c
A restart may be required.
The Microsoft advisory is available at:
http://technet.microsoft.com/en-us/security/bulletin/ms13-094
|
Vendor URL: technet.microsoft.com/en-us/security/bulletin/ms13-094 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|