MediumProventia Desktop, Proventia Network IPS, RealSecure Desktop, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects the use of a file:// URI without an extension in an HTML email message which may cause unintended code execution in the Windows Mail program in Windows Vista.
Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
None.
General blocking of network traffic triggering this event is not suggested as such data may be valid and acceptable in many contexts. Furthermore, the vulnerable mail client is not in widespread use, so catering to its security oversights generally does not warrant the suppression of mail traffic that would be otherwise be harmless.
Medium
Proventia Desktop: 2020, Proventia Network IPS: XPU 27.010, RealSecure Desktop: eqh, RealSecure Network: XPU 27.010, RealSecure Server Sensor: XPU 27.010, BlackICE PC Protection: 3.6cqh, BlackICE Server Protection: 3.6.cqh, Proventia-G 1.1 and earlier: XPU 27.010, Proventia Network IDS: XPU 27.010, IBM Security Server Protection for Windows: 1.0.914.2020, Proventia Network MFS: XPU 27.010, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 27.010, Virtual Server Protection for Vmware: 1.0
Microsoft Windows Vista, Microsoft Windows Mail, Microsoft Windows Vista: x64
Unauthorized Access Attempt
Microsoft Windows Vista could allow a remote attacker to execute local code on the system, caused by an error in the Mail Client. An attacker could exploit this vulnerability by sending a specially-crafted email message containing a malicious URL to execute local code on the vulnerable system, if the attacker could persuade the victim to open and authorize the malicious URL.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-34. See References.
Full-Disclosure Mailing List, Fri Mar 23 2007 - 02:52:09 CDT
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0344.html
Full-Disclosure Mailing List, Fri Mar 23 2007 - 05:15:57 CDT
Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0345.html
Microsoft Security Bulletin MS07-034
Cumulative Security Update for Outlook Express and Windows Mail (929123)
http://www.microsoft.com/technet/security/Bulletin/MS07-034.mspx
ISS X-Force
Microsoft Windows Vista Mail Client code execution
http://www.iss.net/security_center/static/33167.php
CVE
CVE-2007-1658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1658