Search...

Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)

2011-01-14T00:00:00

ID OPENVAS:1361412562310801713
Type openvas
Reporter Copyright (C) 2011 Greenbone Networks GmbH
Modified 2020-01-07T00:00:00

Description

This host is missing a critical security update according to Microsoft Bulletin MS07-056.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)
#
# Authors:
# Madhuri D &lt;dmadhuri@secpod.com&gt;
#
# Copyright:
# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.801713");
  script_version("2020-01-07T09:06:32+0000");
  script_tag(name:"last_modification", value:"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)");
  script_tag(name:"creation_date", value:"2011-01-14 07:39:17 +0100 (Fri, 14 Jan 2011)");
  script_cve_id("CVE-2007-3897");
  script_bugtraq_id(25908);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)");
  script_xref(name:"URL", value:"http://securitytracker.com/alerts/2007/Oct/1018786.html");
  script_xref(name:"URL", value:"http://securitytracker.com/alerts/2007/Oct/1018785.html");
  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-056");

  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/registry_enumerated");

  script_tag(name:"impact", value:"Successful exploitation leads to cause a heap-based buffer overflow by
  returning more data than requested by the client.");
  script_tag(name:"affected", value:"- Microsoft Windows XP Service Pack 2 and prior

  - Microsoft Windows 2000 ervice Pack 4 and prior

  - Microsoft Windows 2K3 Service Pack 2 and prior

  - Microsoft Windows Vista");
  script_tag(name:"insight", value:"The flaw is due to a boundary error in 'inetcomm.dll' when processing
  NNTP (Network News Transfer Protocol) responses.");
  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"summary", value:"This host is missing a critical security update according to
  Microsoft Bulletin MS07-056.");
  exit(0);
}

include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(hotfix_check_sp(win2k:5, xp:3, win2003:3, winVista:3) &lt;= 0){
  exit(0);
}

if(hotfix_missing(name:"941202") == 0){
  exit(0);
}

sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
                          item:"Install Path");
if(sysPath)
{
  sysVer = fetch_file_version(sysPath:sysPath, file_name:"Inetcomm.dll");
  if(sysVer)
  {
    if(hotfix_check_sp(win2k:5) &gt; 0)
    {
      if(version_in_range(version:sysVer, test_version:"5.0", test_version2:"5.50.4980.1599") ||
         version_in_range(version:sysVer, test_version:"6.0", test_version2:"6.0.2800.1913")){
        security_message( port: 0, data: "The target host was found to be vulnerable" );
      }
    }

    else if(hotfix_check_sp(xp:3) &gt; 0)
    {
      SP = get_kb_item("SMB/WinXP/ServicePack");
      if("Service Pack 2" &gt;&lt; SP)
      {
         if(version_is_less(version:sysVer, test_version:"6.0.2900.3198")){
          security_message( port: 0, data: "The target host was found to be vulnerable" );
        }
         exit(0);
      }
      security_message( port: 0, data: "The target host was found to be vulnerable" );
    }

    else if(hotfix_check_sp(win2003:3) &gt; 0)
    {
      SP = get_kb_item("SMB/Win2003/ServicePack");
      if("Service Pack 1" &gt;&lt; SP)
      {
        if(version_is_less(version:sysVer, test_version:"6.0.3790.2992")){
          security_message( port: 0, data: "The target host was found to be vulnerable" );
        }
         exit(0);
      }
      if("Service Pack 2" &gt;&lt; SP)
      {
        if(version_is_less(version:sysVer, test_version:"6.0.3790.4133")){
          security_message( port: 0, data: "The target host was found to be vulnerable" );
        }
         exit(0);
      }
       security_message( port: 0, data: "The target host was found to be vulnerable" );
    }
  }
}

sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion",
                      item:"PathName");
if(!sysPath){
  exit(0);
}

sysVer = fetch_file_version(sysPath:sysPath, file_name:"system32\Inetcomm.dll");
if(!sysVer){
  exit(0);
}

if(hotfix_check_sp(winVista:3) &gt; 0)
{
  if(version_is_less(version:sysVer, test_version:"6.0.6000.16545")){
      security_message( port: 0, data: "The target host was found to be vulnerable" );
  }
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310801713", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS07-056.", "published": "2011-01-14T00:00:00", "modified": "2020-01-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801713", "reporter": "Copyright (C) 2011 Greenbone Networks GmbH", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-056", "http://securitytracker.com/alerts/2007/Oct/1018786.html", "http://securitytracker.com/alerts/2007/Oct/1018785.html"], "cvelist": ["CVE-2007-3897"], "lastseen": "2020-01-08T14:04:41", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2007-204", "CPAI-2007-328"]}, {"type": "cve", "idList": ["CVE-2007-3897"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/WINDOWS-HOTFIX-MS07-056/"]}, {"type": "nessus", "idList": ["4232.PRM", "4233.PRM", "4234.PRM", "4235.PRM", "4236.PRM", "SMB_NT_MS07-056.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:801713"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18152", "SECURITYVULNS:DOC:18153", "SECURITYVULNS:VULN:8228"]}, {"type": "seebug", "idList": ["SSV:2283"]}], "rev": 4}, "score": {"value": 7.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2007-204", "CPAI-2007-328"]}, {"type": "cve", "idList": ["CVE-2007-3897"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/WINDOWS-HOTFIX-MS07-056/"]}, {"type": "nessus", "idList": ["4232.PRM", "4233.PRM", "4234.PRM", "4235.PRM", "4236.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:801713"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18153", "SECURITYVULNS:VULN:8228"]}, {"type": "seebug", "idList": ["SSV:2283"]}]}, "exploitation": null, "vulnersScore": 7.7}, "pluginID": "1361412562310801713", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801713\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-01-14 07:39:17 +0100 (Fri, 14 Jan 2011)\");\n script_cve_id(\"CVE-2007-3897\");\n script_bugtraq_id(25908);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2007/Oct/1018786.html\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2007/Oct/1018785.html\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-056\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation leads to cause a heap-based buffer overflow by\n returning more data than requested by the client.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP Service Pack 2 and prior\n\n - Microsoft Windows 2000 ervice Pack 4 and prior\n\n - Microsoft Windows 2K3 Service Pack 2 and prior\n\n - Microsoft Windows Vista\");\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error in 'inetcomm.dll' when processing\n NNTP (Network News Transfer Protocol) responses.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS07-056.\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2k:5, xp:3, win2003:3, winVista:3) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"941202\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath:sysPath, file_name:\"Inetcomm.dll\");\n if(sysVer)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_in_range(version:sysVer, test_version:\"5.0\", test_version2:\"5.50.4980.1599\") ||\n version_in_range(version:sysVer, test_version:\"6.0\", test_version2:\"6.0.2800.1913\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n\n else if(hotfix_check_sp(xp:3) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.2900.3198\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n\n else if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.2992\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.4133\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Inetcomm.dll\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.0.6000.16545\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645391801}}

{"openvas": [{"lastseen": "2017-07-02T21:13:36", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS07-056.", "cvss3": {}, "published": "2011-01-14T00:00:00", "type": "openvas", "title": "Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:801713", "href": "http://plugins.openvas.org/nasl.php?oid=801713", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms07-056.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation leads to cause a heap-based buffer overflow by\n returning more data than requested by the client.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows XP Service Pack 2 and prior.\n Microsoft Windows 2000 ervice Pack 4 and prior.\n Microsoft Windows 2K3 Service Pack 2 and prior.\n Microsoft Windows Vista\";\ntag_insight = \"The flaw is due to a boundary error in 'inetcomm.dll' when processing\n NNTP (Network News Transfer Protocol) responses.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS07-056.\";\n\nif(description)\n{\n script_id(801713);\n script_version(\"$Revision: 5362 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-14 07:39:17 +0100 (Fri, 14 Jan 2011)\");\n script_cve_id(\"CVE-2007-3897\");\n script_bugtraq_id(25908);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Outlook Express And Windows Mail NNTP Protocol Heap Buffer Overflow Vulnerability (941202)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/27112\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2007/Oct/1018786.html\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2007/Oct/1018785.html\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2k:5, xp:3, win2003:3, winVista:3) <= 0){\n exit(0);\n}\n\n## Hotfix check\nif(hotfix_missing(name:\"941202\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath, file_name:\"Inetcomm.dll\");\n if(sysVer)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for Inetcomm.dll vesrion 5.0 < 5.50.4980.1600, 6.0 < 6.0.2800.1914\n if(version_in_range(version:sysVer, test_version:\"5.0\", test_version2:\"5.50.4980.1599\") ||\n version_in_range(version:sysVer, test_version:\"6.0\", test_version2:\"6.0.2800.1913\")){\n security_message(0);\n }\n }\n \n ## Windows XP\n else if(hotfix_check_sp(xp:3) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Grep for Inetcomm.dll version < 6.0.2900.3198\n if(version_is_less(version:sysVer, test_version:\"6.0.2900.3198\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n }\n \n ## Windows 2003\n else if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n ## Grep for Inetcomm.dll version < 6.0.3790.2992\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.2992\")){\n security_message(0);\n }\n exit(0);\n }\n if(\"Service Pack 2\" >< SP)\n {\n ## Grep for Inetcomm.dll version < 6.0.3790.4133\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.4133\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n }\n }\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Inetcomm.dll\");\nif(!sysVer){\n exit(0);\n}\n \n## Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n ## Grep for Inetcomm.dll version < 6.0.6000.16545\n if(version_is_less(version:sysVer, test_version:\"6.0.6000.16545\")){\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "description": "Microsoft Security Bulletin MS07-056 - Critical\r\nSecurity Update for Outlook Express and Windows Mail (941202)\r\nPublished: October 9, 2007\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis critical security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution due to an incorrectly handled malformed NNTP response. An attacker could exploit the vulnerability by constructing a specially crafted Web page.\r\n\r\nThis is a critical security update for all supported versions of Microsoft Outlook express and Microsoft Windows Mail. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThis security update removes the vulnerability by changing the newsgroup client to handle malformed responses correctly. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update immediately.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 941202 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tSeverity Rating\tBulletins Replaced by This Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nOutlook Express 5.5 Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-076\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nOutlook Express 6 Service Pack 1\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-076\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 Service Pack 1\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 x64 Edition\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 with SP1 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Vista\r\n\t\r\n\r\nWindows Mail\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNot Applicable\r\n\r\nWindows Vista x64 Edition\r\n\t\r\n\r\nWindows Mail\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNot Applicable\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhat are the known issues that customers may experience when they install this security update? \r\nMicrosoft Knowledge Base Article 941202 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues\r\n\r\nI am using an older version or edition of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which versions or editions are affected. Other versions or editions are past their support life cycle. To determine the support life cycle for your software versions or editions, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older versions or editions of the software to migrate to supported versions or editions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tNetwork News Transfer Protocol Memory Corruption Vulnerability \u2013 CVE-2007-3897\r\nWindows 2000\t \r\n\r\nOutlook Express 5.5 Service Pack 2 on Microsoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\n\r\nOutlook Express 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\nWindows XP\t \r\n\r\nOutlook Express 6 on Windows XP Service Pack 2\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\n\r\nOutlook Express 6 on Windows XP Professional x64 Service Pack 2\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\nWindows Server\t \r\n\r\nOutlook Express 6 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\n\r\nOutlook Express 6 on Windows Server 2003 x64 Edition and Outlook Express 6 on Windows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\n\r\nOutlook Express 6 on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\nWindows Vista\t \r\n\r\nWindows Mail in Windows Vista\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\r\nWindows Mail in Windows Vista x64 Edition\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\nTop of sectionTop of section\r\n\t\r\nNetwork News Transfer Protocol Memory Corruption Vulnerability \u2013 CVE-2007-3897\r\n\r\nA remote code execution vulnerability exists in Outlook Express and Windows Mail for Microsoft Vista, due to an incorrectly handled malformed NNTP response. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3897.\r\n\t\r\nMitigating Factors for Network News Transfer Protocol Memory Corruption Vulnerability \u2013 CVE-2007-3897\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability In addition, Web sites that accept or host user-provided content, or compromised Web sites and advertisement servers could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nInternet Explorer 7 Protect Mode on Microsoft Windows Vista displays a warning dialogue that a Web page is attempting to access Windows Mail. The user would have to click allow before the vulnerability could be exploited.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Network News Transfer Protocol Memory Corruption \u2013 CVE-2007-3897\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable news protocol handler.\r\n\r\nYou can disable the news protocol handler by removing the application associated with it in the registry.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.\r\n\r\nPaste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension\r\n\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CLASSES_ROOT\news\shell\open\command]\r\n@=""\r\n\r\n[HKEY_CLASSES_ROOT\snews\shell\open\command]\r\n@=""\r\n\r\nYou can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:\r\n\u2022\t\r\n\r\nGroup Policy collection\r\n\u2022\t\r\n\r\nWhat is Group Policy Object Editor?\r\n\u2022\t\r\n\r\nCore Group Policy tools and settings\r\n\r\nImpact of workaround: This workaround removes the associated application that is used to run NNTP.\r\n\u2022\t\r\n\r\nRemove News Accounts.\r\n\r\nRemoving all registered news accounts in Outlook Express or Windows Mail client.\r\n\r\n1.\r\n\t\r\n\r\nIn Windows Mail or Outlook Express select the Tools menu and then Accounts\r\n\r\n2.\r\n\t\r\n\r\nSelect a News account and click remove then OK or Yes\r\n\r\n3.\r\n\t\r\n\r\nRepeat step 2 for all News accounts\r\n\r\nImpact of workaround:Removing newsgroups that have been registered will make them unavailable for use unless you reregister them again.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Network News Transfer Protocol Memory Corruption \u2013 CVE-2007-3897\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is present due to incorrect handling of malformed responses in the Network News Transfer Protocol (NNTP).\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability and then convince a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. In no case, however, would an attacker have a way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nThese vulnerabilities require that a user is logged on and visits a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from these vulnerabilities.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by changing the news client to handle malformed responses correctly.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nGreg MacManus of VeriSign iDefense Labs for reporting the Network News Transfer Protocol Memory Corruption Vulnerability \u2013 CVE-2007-3897.\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\nTop of sectionTop of section\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (October 09, 2007): Bulletin published.", "edition": 1, "cvss3": {}, "published": "2007-10-10T00:00:00", "title": "Microsoft Security Bulletin MS07-056 - Critical Security Update for Outlook Express and Windows Mail (941202)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2007-10-10T00:00:00", "id": "SECURITYVULNS:DOC:18153", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18153", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "description": "Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow\r\n\r\niDefense Security Advisory 10.09.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nOct 09, 2007\r\n\r\nI. BACKGROUND\r\n\r\nMicrosoft Windows Mail and Outlook Express are the default mail and news\r\nclients for Windows operating systems. More information can be found at\r\nthe following URLs.\r\n\r\nhttp://www.microsoft.com/windows/products/windowsvista/features/details/mail.mspx\r\nhttp://www.microsoft.com/windows/ie/ie6/using/oe/default.mspx\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a heap overflow in Microsoft Corp.'s Windows Mail\r\nand Outlook Express NNTP clients may allow an attacker to execute code\r\nwith the privileges of the logged on user.\r\n\r\nNNTP (Network News Transfer Protocol) is a protocol for reading and\r\nposting Usenet articles. Windows Mail and Outlook Express both contain\r\na heap overflow vulnerability in their handling of NNTP replies. If the\r\nserver returns more data than the client requests, attacker controlled\r\nvalues can be stored outside of the allocated memory region,\r\noverwriting control structures in a way which may allow code execution.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability would allow an attacker to execute\r\narbitrary code in the context of the currently logged on user. In order\r\nto exploit this vulnerability, and attacker would need to convince the\r\ntargeted user to view a website under their control or otherwise open a\r\nlink to their NNTP server. No further interaction is required to exploit\r\nthe vulnerability.\r\n\r\nIf the 'nntp', 'news' or 'snews' (secure news) protocol handlers have\r\nnot been explicitly associated with another application, the default\r\nhandlers will be set to Windows Mail (in Vista) and Outlook Express (in\r\nprevious versions of Windows). Exploitation of this vulnerability does\r\nnot require the targeted user to have setup an account in the affected\r\nprogram.\r\n\r\nIV. DETECTION\r\n\r\niDefense confirmed the following programs on Windows operating systems\r\nare affected:\r\n\r\n Windows Mail on Windows Vista\r\n Outlook Express 6 on Windows XP SP2\r\n Outlook Express 6 on Windows 2000 SP4\r\n\r\nV. WORKAROUND\r\n\r\nDeleting the all sub-keys of the following registry keys will remove the\r\n'news' and 'snews' protocol handlers:\r\n\r\n HKEY_CLASSES_ROOT\news\shell\r\n HKEY_CLASSES_ROOT\snews\shell\r\n\r\nThese keys may be restored under some circumstances. To prevent this\r\nfrom occurring, Set the 'Deny Full Control' permission for the group\r\n'Everyone' on the keys.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft has addressed this vulnerability within MS07-056. For more\r\ninformation, consult their bulletin at the following URL.\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS07-056.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-3897 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n07/11/2007 Initial vendor notification\r\n07/11/2007 Initial vendor response\r\n10/09/2007 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was discovered by Greg MacManus of VeriSign iDefense\r\nLabs.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "cvss3": {}, "published": "2007-10-10T00:00:00", "title": "iDefense Security Advisory 10.09.07: Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2007-10-10T00:00:00", "id": "SECURITYVULNS:DOC:18152", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18152", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:27", "description": "Heap memory overflow on NNTP server reply parsing.", "edition": 1, "cvss3": {}, "published": "2007-10-10T00:00:00", "title": "Microsoft Outlook Express / Windows Mail NNTP buffer overflow", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2007-10-10T00:00:00", "id": "SECURITYVULNS:VULN:8228", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8228", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-08-19T13:12:57", "description": "Arbitrary code can be executed on the remote host through the email client. The remote host is running a version of Microsoft Outlook Express that contains several security flaws that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-10-10T00:00:00", "type": "nessus", "title": "Cumulative Security Update for Microsoft Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:outlook_express:*:*:*:*:*:*:*:*"], "id": "4235.PRM", "href": "https://www.tenable.com/plugins/nnm/4235", "sourceData": "Binary data 4235.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:12:58", "description": "Arbitrary code can be executed on the remote host through the email client. The remote host is running a version of Microsoft Outlook Express that contains several security flaws that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-10-10T00:00:00", "type": "nessus", "title": "Cumulative Security Update for Microsoft Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:outlook_express:*:*:*:*:*:*:*:*"], "id": "4234.PRM", "href": "https://www.tenable.com/plugins/nnm/4234", "sourceData": "Binary data 4234.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:12:57", "description": "Arbitrary code can be executed on the remote host through the email client. The remote host is running a version of Microsoft Outlook Express that contains several security flaws that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-10-10T00:00:00", "type": "nessus", "title": "Cumulative Security Update for Microsoft Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:outlook_express:*:*:*:*:*:*:*:*"], "id": "4232.PRM", "href": "https://www.tenable.com/plugins/nnm/4232", "sourceData": "Binary data 4232.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:12:57", "description": "Arbitrary code can be executed on the remote host through the email client. The remote host is running a version of Microsoft Outlook Express that contains several security flaws that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-10-10T00:00:00", "type": "nessus", "title": "Cumulative Security Update for Microsoft Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:outlook_express:*:*:*:*:*:*:*:*"], "id": "4233.PRM", "href": "https://www.tenable.com/plugins/nnm/4233", "sourceData": "Binary data 4233.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:09", "description": "The remote host is running a version of Microsoft Outlook Express that contains several security flaws that could allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": null, "vector": null}, "published": "2007-10-09T00:00:00", "type": "nessus", "title": "MS07-056: Cumulative Security Update for Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS07-056.NASL", "href": "https://www.tenable.com/plugins/nessus/26962", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26962);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2007-3897\");\n script_bugtraq_id(25908);\n script_xref(name:\"MSFT\", value:\"MS07-056\");\n script_xref(name:\"MSKB\", value:\"941202\");\n \n\n script_name(english:\"MS07-056: Cumulative Security Update for Outlook Express and Windows Mail (941202)\");\n script_summary(english:\"Determines the presence of update 941202\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the email\nclient.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Outlook Express that\ncontains several security flaws that could allow an attacker to execute\narbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to send a malformed email\nto a victim on the remote host and have him open it.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-056\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Outlook Express and Windows\nMail.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-056';\nkb = '941202';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Inetcomm.dll\", version:\"6.0.6000.16545\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Inetcomm.dll\", version:\"6.0.3790.4133\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Inetcomm.dll\", version:\"6.0.3790.2992\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Inetcomm.dll\", version:\"6.0.2900.3198\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.0\", file:\"Inetcomm.dll\", version:\"6.0.2800.1914\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\",\t file:\"Inetcomm.dll\", version:\"5.50.4980.1600\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:12:58", "description": "Arbitrary code can be executed on the remote host through the email client. The remote host is running a version of Microsoft Outlook Express that contains several security flaws that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed email to a victim on the remote host and have him open it.", "cvss3": {"score": 5, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2007-10-10T00:00:00", "type": "nessus", "title": "Cumulative Security Update for Microsoft Outlook Express and Windows Mail (941202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:microsoft:outlook_express:*:*:*:*:*:*:*:*"], "id": "4236.PRM", "href": "https://www.tenable.com/plugins/nnm/4236", "sourceData": "Binary data 4236.prm", "cvss": {"score": 5.4, "vector": "CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-11-05T00:13:59", "description": "Several versions of Microsoft Outlook have vulnerabilities in their handling of NNTP headers that could result in arbitrary code execution.", "cvss3": {}, "published": "2007-10-11T00:00:00", "type": "checkpoint_advisories", "title": "IPS-1 Protection for Outlook NNTP Vulnerability (CVE-2007-3897/MS07-056)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3897"], "modified": "2007-01-01T00:00:00", "id": "CPAI-2007-204", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:39:48", "description": "Network News Transfer Protocol (NNTP) is an open standard designed for the distribution, enquiry, retrieval, and posting of news articles using a reliable stream-based transmission over the Internet. It is the core protocol of the newsgroup service. The most commonly used communication end point for NNTP is TCP port 119. There is a buffer overflow vulnerability exists in Microsoft Outlook Express and Windows Mail. Specifically the vulnerability is due to lack of boundary checks when processing news subjects from the NNTP server. Successful exploitation would allow the attacker to execute arbitrary code on the vulnerable client system, in the context of the logged in user. An attack targeting this vulnerability can result in the injection and execution of arbitrary code. If code execution is successful, the behaviour of the target will depend on the intention of the attacker. Any injected code will be executed within the security context of the currently logged in user. In the case of an unsuccessful code execution attack, Microsoft Outlook Express and/or Windows Mail will terminate unexpectedly.", "cvss3": {}, "published": "2009-12-20T00:00:00", "type": "checkpoint_advisories", "title": "Outlook Express and Windows Mail NNTP Handling Code Execution (MS07-056; CVE-2007-3897)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3897"], "modified": "2016-02-14T00:00:00", "id": "CPAI-2007-328", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:56:09", "description": "BUGTRAQ ID: 25908\r\nCVE(CAN) ID: CVE-2007-3897\r\n\r\nOutlook Express\u548cWindows Mail\u90fd\u662fWindows\u64cd\u4f5c\u7cfb\u7edf\u6240\u6346\u7ed1\u7684\u90ae\u4ef6\u548c\u65b0\u95fb\u7ec4\u5ba2\u6237\u7aef\u3002NNTP\uff08\u7f51\u7edc\u65b0\u95fb\u4f20\u8f93\u534f\u8bae\uff09\u662f\u7528\u4e8e\u8bfb\u53d6\u548c\u5f20\u8d34Usenet\u6587\u7ae0\u7684\u534f\u8bae\u3002\r\n\r\nWindows Mail\u548cOutlook Express\u5728\u5904\u7406NNTP\u56de\u590d\u65f6\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u6076\u610fNNTP\u670d\u52a1\u5668\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u5982\u679c\u670d\u52a1\u5668\u8fd4\u56de\u4e86\u591a\u4e8e\u5ba2\u6237\u7aef\u6240\u8bf7\u6c42\u7684\u6570\u636e\uff0c\u5c31\u53ef\u80fd\u5c06\u653b\u51fb\u8005\u53ef\u63a7\u7684\u503c\u50a8\u5b58\u5230\u6240\u5206\u914d\u7684\u5185\u5b58\u8303\u56f4\u4e4b\u5916\uff0c\u8986\u76d6\u63a7\u5236\u7ed3\u6784\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\n\nMicrosoft Outlook Express 6.0 SP1\r\nMicrosoft Outlook Express 6.0\r\nMicrosoft Outlook Express 5.5 SP2\r\nMicrosoft Windows Mail\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u7528\u65b0\u95fb\u534f\u8bae\u5904\u7406\u7a0b\u5e8f\u3002\u8bf7\u5c06\u4ee5\u4e0b\u6587\u672c\u7c98\u8d34\u4e8e\u8bb0\u4e8b\u672c\u7b49\u6587\u672c\u7f16\u8f91\u5668\u4e2d\uff0c\u7136\u540e\u4f7f\u7528.reg\u6587\u4ef6\u6269\u5c55\u540d\u4fdd\u5b58\u6587\u4ef6\uff1a\r\n\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CLASSES_ROOT\\news\\shell\\open\\command]\r\n@=""\r\n\r\n[HKEY_CLASSES_ROOT\\snews\\shell\\open\\command]\r\n@=""\r\n\r\n\u60a8\u53ef\u4ee5\u901a\u8fc7\u53cc\u51fb\u6b64.reg\u6587\u4ef6\u5c06\u5176\u5e94\u7528\u5230\u5404\u4e2a\u7cfb\u7edf\uff0c\u8fd8\u53ef\u4ee5\u4f7f\u7528\u7ec4\u7b56\u7565\u8de8\u57df\u5e94\u7528\u8be5\u6587\u4ef6\u3002\r\n\r\n* \u5220\u9664Outlook Express\u6216Windows Mail\u5ba2\u6237\u7aef\u4e2d\u6240\u6709\u5df2\u6ce8\u518c\u7684\u65b0\u95fb\u5e10\u6237\u3002\r\n \r\n 1. \u5728Windows Mail\u6216Outlook Express\u4e2d\uff0c\u9009\u62e9\u201c\u5de5\u5177\u201d\u83dc\u5355\uff0c\u7136\u540e\u9009\u62e9\u201c\u5e10\u6237\u201d\r\n 2. \u9009\u62e9\u4e00\u4e2a\u65b0\u95fb\u5e10\u6237\uff0c\u7136\u540e\u4f9d\u6b21\u5355\u51fb\u201c\u5220\u9664\u201d\u3001\u201c\u786e\u5b9a\u201d\u6216\u201c\u662f\u201d\r\n 3. \u5bf9\u6240\u6709\u65b0\u95fb\u5e10\u6237\u91cd\u590d\u6b65\u9aa42\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS07-056\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS07-056\uff1aSecurity Update for Outlook Express and Windows Mail (941202)\r\n\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/Bulletin/MS07-056.mspx?pf=true\" target=\"_blank\">http://www.microsoft.com/technet/security/Bulletin/MS07-056.mspx?pf=true</a>", "cvss3": {}, "published": "2007-10-12T00:00:00", "type": "seebug", "title": "Microsoft Outlook Express\u548cWindows Mail NNTP\u534f\u8bae\u56de\u5e94\u6570\u636e\u5806\u6ea2\u51fa\u6f0f\u6d1e\uff08MS07-056\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-3897"], "modified": "2007-10-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2283", "id": "SSV:2283", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2021-05-06T11:02:39", "description": "\n", "edition": 2, "cvss3": {}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "MS07-056: Security Update for Outlook Express and Windows Mail (941202)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3897"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/WINDOWS-HOTFIX-MS07-056/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:44:36", "description": "Heap-based buffer overflow in Microsoft Outlook Express 6 and earlier, and Windows Mail for Vista, allows remote Network News Transfer Protocol (NNTP) servers to execute arbitrary code via long NNTP responses that trigger memory corruption.", "cvss3": {}, "published": "2007-10-09T22:17:00", "type": "cve", "title": "CVE-2007-3897", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3897"], "modified": "2019-10-09T22:53:00", "cpe": ["cpe:/a:microsoft:windows_mail:-", "cpe:/a:microsoft:outlook_express:6.0"], "id": "CVE-2007-3897", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3897", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:windows_mail:-:*:*:*:*:vista:*:*", "cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*"]}]}