Microsoft Outlook SMB code execution (Content_TNEF_Outlook_Attachment_Exec)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects specially crafted email messages designed to bypass Microsoft Outlook's attachment verification, thus allowing the delivery of dangerous file types to recipients. If such an attachment is opened, an attacker's executable could run.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 30.070, Proventia Desktop: 2540, RealSecure Network: XPU 30.070, RealSecure Server Sensor: XPU 30.070, Proventia Network MFS: XPU 30.070, Proventia Network IDS: XPU 30.070, Proventia-G 1.1 and earlier: XPU 30.070, IBM Security Server Protection for Windows: 2.1.14.2540, Proventia Server IPS for Linux technology: 30.070, Virtual Server Protection for Vmware: XPU 30.070

Systems affected

Microsoft Outlook: 2002 SP3, Microsoft Outlook: 2003 SP3, Microsoft Outlook: 2007 SP1, Microsoft Outlook: 2007 SP2

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Outlook could allow a remote attacker to execute arbitrary code on the system, caused by the improper verification of the file extension of an SMB attachment. By persuading a victim to open a specially-crafted email, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS10-045
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
http://www.microsoft.com/technet/security/bulletin/ms10-045.mspx

IBM Internet Security Systems Protection Alert
Microsoft Office Outlook Could Allow Remote Code Execution
http://www.iss.net/threats/372.html

Microsoft Security Bulletin MS10-064
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)
http://www.microsoft.com/technet/security/bulletin/ms10-064.mspx

ISS X-Force
Microsoft Outlook SMB code execution
http://www.iss.net/security_center/static/59894.php

CVE
CVE-2010-0266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0266