Microsoft closes critical holes in Outlook Express and Windows Mail

As previously announced, Microsoft has released two updates to close critical security holes. A flaw in the implementation of the POP3 and IMAP protocols can be exploited to trigger overflows in Outlook Express and Windows (Live) Mail via specially crafted mail server responses. This allows attackers to inject arbitrary code into a vulnerable system and execute it there at the user's privilege level.

To fall victim to such an attack, users don't necessarily need to contact a manipulated server directly. Attackers with access to a server can also intercept traffic via Man-in-the-Middle attacks or redirect clients via DNS manipulations.

Outlook 5.5 and 6 are affected as well as Windows Mail and Live Mail under Windows 7, Vista, XP, Server 2003 and Server 2008. Microsoft rates the flaw differently for the various versions of the operating system: Under Windows 7, the problem is considered less critical than under XP and Vista – however, this is only because Windows 7 users need to manually install the mail applications before their systems become vulnerable. Windows 7 does contain the vulnerable component, inetcomm.dll. Update MS10-030 fixes the flaw.

Another update, MS10-031, fixes a flaw in the way Visual Basic for Applications (VBA) handles ActiveX controls. Attackers can use specially crafted Office documents to trigger a flaw and compromise a system. Microsoft hasn't provided any further details. Office XP, Office 2003 and 2007 Office System are affected, as well as Microsoft's Visual Basic for Applications developer tools and SDK.

Although Microsoft considers it unlikely that reliable exploit code will emerge for the holes, users are advised to install the updates as soon as possible.

See also:

• Microsoft Security Bulletin Summary for May 2010

(djwm)