MediumIBM Security Server Protection for Windows, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, Proventia Desktop, RealSecure Desktop, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects the use of a file:// URI without an extension in an HTML email message which may cause unintended code execution in the Windows Mail program in Windows Vista.
Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
None.
General blocking of network traffic triggering this event is not suggested as such data may be valid and acceptable in many contexts. Furthermore, the vulnerable mail client is not in widespread use, so catering to its security oversights generally does not warrant the suppression of mail traffic that would be otherwise be harmless.
Medium
IBM Security Server Protection for Windows: 1.0.914.2020, Proventia Network MFS: XPU 27.010, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 27.010, Proventia-G 1.1 and earlier: XPU 27.010, BlackICE Server Protection: 3.6.cqh, BlackICE PC Protection: 3.6cqh, RealSecure Network: XPU 27.010, RealSecure Server Sensor: XPU 27.010, Proventia Network IPS: XPU 27.010, Proventia Desktop: 2020, RealSecure Desktop: eqh, Proventia Server IPS for Linux technology: 27.010, Virtual Server Protection for Vmware: 1.0
Microsoft Windows Vista, Microsoft Windows Mail, Microsoft Windows Vista: x64
Unauthorized Access Attempt
Microsoft Windows Vista could allow a remote attacker to execute local code on the system, caused by an error in the Mail Client. An attacker could exploit this vulnerability by sending a specially-crafted email message containing a malicious URL to execute local code on the vulnerable system, if the attacker could persuade the victim to open and authorize the malicious URL.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-34. See References.
Full-Disclosure Mailing List, Fri Mar 23 2007 - 02:52:09 CDT
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0344.html
Full-Disclosure Mailing List, Fri Mar 23 2007 - 05:15:57 CDT
Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0345.html
Microsoft Security Bulletin MS07-034
Cumulative Security Update for Outlook Express and Windows Mail (929123)
http://www.microsoft.com/technet/security/Bulletin/MS07-034.mspx
ISS X-Force
Microsoft Windows Vista Mail Client code execution
http://www.iss.net/security_center/static/33167.php
CVE
CVE-2007-1658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1658