| Check Point Reference: |
CPAI-2007-071 |
| Date Published: |
14 Jun 2007 |
| Severity: |
Critical
|
| Last Updated: |
Monday 01 January, 2007 |
| Source: |
Microsoft Security Bulletin MS07-034 |
| Industry Reference: | CVE-2006-2111 |
| Protection Provided by: |
|
| Who is Vulnerable? | Microsoft Outlook Express 6 on Windows XP SP2
Microsoft Outlook Express 6 on Windows XP Professional x64 Edition
Microsoft Outlook Express 6 on Windows XP Professional x64 Edition SP2
Microsoft Outlook Express 6 on Windows Server 2003 SP1
Microsoft Outlook Express 6 on Windows Server 2003 SP2
Microsoft Outlook Express 6 on Windows Server 2003 x64 Edition
Microsoft Outlook Express 6 on Windows Server 2003 x64 Edition SP2
Microsoft Outlook Express 6 on Windows Server 2003 with SP1 (Itanium)
Microsoft Outlook Express 6 on Windows Server 2003 with SP2 (Itanium)
Windows Mail on Windows Vista
Windows Mail on Windows Vista x64 Edition |
| Vulnerability Description |
An information disclosure vulnerability has been reported in Microsoft Windows. The vulnerability is within the MHTML Protocol, a component of Outlook Express. The MHTML (MIME Encapsulation of Aggregate HTML) protocol handler provides a URL type (MHTML://) that permits MHTML encoded documents to be rendered in applications. The vulnerability could be exploited by a remote attacker to access sensitive information on behalf of the target user. |
| Update/Patch Avaliable | Apply patches:
MS07-034: Cumulative security update for Outlook Express and for Windows Mail |
| Vulnerability Details | The vulnerability is due to an error in the MHTML protocol handler that fails to properly process MHTML URL redirections. To trigger this flaw, an attacker can specially craft a malicious web page that exploits this vulnerability. Successful exploitation allows remote attackers to read content and data served from another domain in the context of a malicious web page. |
Feedback