More Vulnerabilities Found; More Platforms Affected

Severity: High

26 October, 2007

Update:

On Monday 22 October, we published an alert about a serious vulnerability that affects RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. RealNetworks released a patch to fix that problem. However, it appears that update marked just the beginning of RealNetwork security holes.

Late yesterday, RealNetwork released the second batch of security updates this week, this time fixing six serious vulnerabilities in their media player product line. Here’s what you need to know about the new flaws.

The new flaws affect many more products than the earlier flaw did, including products that run in OS X and Linux. The affected products now include:

• RealPlayer 8, 10, 10.5, 11 for Windows, Mac, and Linux
• RealOne Player v1 and v2 for Windows, and RealOne Player for Mac
• RealPlayer Enterprise
• Helix Player 10.0.x for Linux.

Though these new flaws differ from one another technically, they share many similarities. For example, all six flaws involve buffer overflow vulnerabilities triggered when RealPlayer parses specially crafted media files. They also share the same scope and impact. If an attacker can entice one of your users into downloading a maliciously crafted media file, then playing it in RealPlayer, the attacker can exploit any of these vulnerabilities to execute attack code on that user’s computer. Depending on the user’s privileges, an attacker could even exploit these flaws to gain control of the victimr’s machine. The only notable difference among the flaws is that an attacker uses a different media file format to exploit each one. The potentially dangerous media files that trigger these flaws are:

• RealMedia files (.rm)
• MP3 audio files (.mp3)
• Flash files (.swf)
• RealAudio Metadata files (.ram)
• Playlist files (.pls)
• Synchronized Multimedia Integration Language files (.smil).

Unlike the flaw covered in our 22 October alert, RealNetworks has not found attackers exploiting these new flaws in the wild yet. Nonetheless, these security holes pose a serious threat to RealPlayer users. You should download, test, and deploy these new patches as soon as you can, whether or not you applied the previous RealPlayer update from Monday. How you download the updates differs depending on which product you use. Refer to the “Instructions” section of RealNetworks security update for detailed directions on patching the different media player products.

As a convenient reference, we’ve duplicated the 22 October RealPlayer alert, below. You can also find it in the LiveSecurity Latest Broadcasts archive.

Summary:

Late Friday, RealNetworks released a patch for a critical vulnerability affecting RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. If you allow the use of RealPlayer in your network, have your users upgrade immediately.

Exposure:

RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you’ve watched streaming videos on the Internet, or listened to music samples while buying CDs online, you’ve probably encountered RealPlayer.

WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork’s “partners” (such as NASCAR and CNN) install software on your client computers. But in reality, many of your users have probably installed one of these products, with or without your permission.

In a security update released late Friday, RealNetworks warned of a new vulnerability that affects RealPlayer 10.5 and 11 beta running on Windows. (OS X and Linux users are not affected.) The flaw, discovered in the wild by Symantec, involves a buffer overflow vulnerability in one of RealPlayer’s ActiveX controls (specifically, ierpplug.dll). By enticing one of your users to a malicious Web site, an attacker can pass an over-long parameter to the vulnerable ActiveX control, which triggers the buffer overflow flaw. The attacker can then exploit the flaw to execute code on your user’s computer, inheriting your user’s privileges. Windows administrators often give users local administrator rights. If the exploit is successful in that context, the attacker would gain complete control of your user’s machine.

Symantec found attackers exploiting this vulnerability in the wild. In other words, the bad guys found the flaw first and are actively using it to break into computers. If you use RealPlayer in your network, this vulnerability poses a critical risk. You should apply RealNetwork’s update immediately.

Solution Path:

RealNetworks has released a patch to correct this vulnerability. Clients who use RealPlayer 10.5 or 11 beta in Windows should upgrade immediately, or remove the software entirely. You can download RealNetwork’s patch here.

For All WatchGuard Users:

The vulnerability described in our alert uses normal HTTP traffic, which you must allow for your users to browse the Web. If you use RealPlayer in your network, you should download RealNetwork’s update as soon as possible.

Status:

RealNetworks has issued a Security Update that fixes the problem.

References:

• RealNetworks Security Update

Symantec’s RealPlayer Alert

Severity: Medium

22 October, 2007

Summary:

Yesterday, Adobe released an update to fix critical security vulnerabilities that affect Adobe Reader 8.1 and Adobe Acrobat 8.1 (and all earlier versions) running on Windows XP. By enticing one of your users into opening a specially crafted PDF file, an attacker can exploit the worst of these flaws to gain control of that user’s system. If you use Adobe Reader or Acrobat in your network, you should download, test, and deploy version 8.1.1 as soon as possible.

Exposure:

In a security bulletin released yesterday, Adobe warned of several critical vulnerabilities in Reader 8.1 and Acrobat 8.1 (and all earlier versions) for Windows XP. While their advisory regularly mentions multiple vulnerabilities, they specifically refer to only one issue, which they describe in little detail. Adobe only says that if an attacker can convince a Windows XP user who also has Internet Explorer (IE) 7 into opening a specially crafted PDF file, the attacker can exploit this unspecified flaw to gain control of that user’s computer. Since you can embed PDF files into Web pages, simply visiting the wrong web page might trigger this flaw.

Petko D. Petkov (aka pdp) of GNUCITIZEN.org, first discovered this flaw last September. Following the tenets of responsible disclosure, he did not release any details about this flaw, instead waiting for Adobe to release a patch. However, he also promised to release Proof-of-Concept (PoC) code that demonstrates this flaw in action as soon as Adobe released their update. So expect to see exploits for this vulnerability shortly. Adobe users should upgrade as soon as possible.

Solution Path

Adobe Reader 8.1.1 and Acrobat 8.1.1 fix these vulnerabilities. Windows XP administrators should download, test, and deploy these updates as soon as possible.

• Adobe Reader 8.1.1
• Adobe Acrobat 8.1.1

For All WatchGuard Users:

Although many of WatchGuard’s Firebox models can block incoming PDF files, most administrators prefer to allow these file types for business purposes. You should download and install Adobe Reader 8.1.1 instead.

However, if you still want to block .PDF files, follow the links below for instructions:

• Firebox X Edge running 8.5
  • POP3 Proxy
  • HTTP Proxy

• Firebox III and X Core running WFS
  • SMTP Proxy
  • HTTP Proxy
  • Online Training Proxy Module

• Firebox X Core and X Peak running Fireware Pro
  • SMTP Proxy
  • HTTP Proxy

• Vclass
  • SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .PDF files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “PDF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.PDF” and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks .PDF files.

 

•  
  • HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .PDF files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “PDF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.PDF” and select Strip as the Action. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks .PDF files.

Status:

Adobe released Adobe Reader 8.1.1 and Acrobat 8.1.1 to correct these issues.

References:

• Adobe Security Bulletin
• GNUCITIZEN Zero Day PDF Blog Post

Severity: High

22 October, 2007

Summary:

Late Friday, RealNetworks released a patch for a critical vulnerability affecting RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. If you allow the use of RealPlayer in your network, have your users upgrade immediately.

Exposure:

RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you’ve watched streaming videos on the Internet, or listened to music samples while buying CDs online, you’ve probably encountered RealPlayer.

WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork’s “partners” (such as NASCAR and CNN) install software on your client computers. But in reality, many of your users have probably installed one of these products, with or without your permission.

In a security update released late Friday, RealNetworks warned of a new vulnerability that affects RealPlayer 10.5 and 11 beta running on Windows. (OS X and Linux users are not affected.) The flaw, discovered in the wild by Symantec, involves a buffer overflow vulnerability in one of RealPlayer’s ActiveX controls (specifically, ierpplug.dll). By enticing one of your users to a malicious Web site, an attacker can pass an over-long parameter to the vulnerable ActiveX control, which triggers the buffer overflow flaw. The attacker can then exploit the flaw to execute code on your user’s computer, inheriting your user’s privileges. Windows administrators often give users local administrator rights. If the exploit is successful in that context, the attacker would gain complete control of your user’s machine.

Symantec found attackers exploiting this vulnerability in the wild. In other words, the bad guys found the flaw first and are actively using it to break into computers. If you use RealPlayer in your network, this vulnerability poses a critical risk. You should apply RealNetwork’s update immediately.

Solution Path:

RealNetworks has released a patch to correct this vulnerability. Clients who use RealPlayer 10.5 or 11 beta in Windows should upgrade immediately, or remove the software entirely. You can download RealNetwork’s patch here.

For All WatchGuard Users:

The vulnerability described in our alert uses normal HTTP traffic, which you must allow for your users to browse the Web. If you use RealPlayer in your network, you should download RealNetwork’s update as soon as possible.

Status:

RealNetworks has issued a Security Update that fixes the problem.

References:

• RealNetworks Security Update
• Symantec’s RealPlayer Alert

Severity: Medium

19 October, 2007

Summary:

Late yesterday, the Mozilla Foundation released an update to fix ten security vulnerabilities in Firefox 2.0.0.7, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious web page, an attacker could exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.8 at your earliest convenience.

Exposure:

Yesterday, the Mozilla Foundation released Firefox 2.0.0.8, fixing ten security vulnerabilities in the popular web browser. We summarize the three most critical vulnerabilities below:

• Two memory corruption vulnerabilities. Firefox suffers from two unspecified crash bugs, which corrupt memory. Mozilla presumes that with enough effort some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a specially crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. If your user were a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.

• JavaScript privilege elevation vulnerability. According to Mozilla, an attacker can use a Script object to modify XPCNativeWrappers, which in turn could allow the attacker to execute JavaScript with the same privileges as the Firefox user. Techno-babble aside, that means that if an attacker can get your user to visit his malicious web page, and he can convince that user to interact with his page in a particular way, he could exploit this vulnerability to execute malicious JavaScript on your user’s computer with the same privileges as your user. This malicious JavaScript could do just about anything that your user could. So if that user has local administrative or root privileges, an attacker could potentially leverage this vulnerability to gain complete control of the user’s machine.

• Firefox and Internet Explorer code execution vulnerability. In a past Wire post, we described a critical vulnerability in Internet Explorer’s (IE) URI handler that could be abused to launch a cross-browser scripting attack with Firefox. This attack only works if your users have both Firefox and Internet Explorer installed. If an attacker can entice one of your users to click a specially crafted link using IE, he could execute malicious JavaScript in Firefox with your user’s security privileges. If your user had local administrator privileges, the attacker could exploit this flaw to gain complete control of the user’s machines. Mozilla partially corrected the Firefox portion of this vulnerability in July. However, security researchers found new ways of exploiting this flaw using Windows XP with IE7. Today’s update fixes these additional flaws.

The remaining vulnerabilities include Denial of Service (DoS), information disclosure, and URL spoofing flaws. If you’d like to know more about them, check out Firefox’s known issues page. However, the critical vulnerabilities above should convince you to upgrade your Firefox users to the fixed version at your earliest convenience.

As an aside, the 2.0.0.8 update also adds Mac OS X 10.5 (Leopard) support to Firefox.

Solution Path:

Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.8 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox. We recommend that 1.5.x users migrate to 2.0.0.8 now.

• Windows
• Linux
• Mac OS X

Note: The latest versions of Firefox 2.0 automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to automatically download and install the update, or to merely inform the user that the update exists.

For All WatchGuard Users:

Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 2.0.0.8, fixing these security issues.

References:

• Firefox 2.0.0.8 Release Notes
• Vulnerabilities Fixed in Firefox 2.0.0.8

by Corey Nachreiner, CISSP, Network Security Analyst, WatchGuard Technologies

[Editor’s Note: This article supplements the list of attacks shown in Part 2 of the video series, Malware Analysis: Botnets. “Malware Analysis: Botnets, Part 2″ shows a small subset of botnet attacks in action. This article fills out that subset with more attacks commonly found in a bot herder’s arsenal. LiveSecurity subscribers can find the videos, free of charge, on our Video Tutorials page. –Scott]

You’ll often hear botnets described as a “hacker’s Swiss army knife.” Just as a Swiss army knife can come with a crazy variety of blades, scissors, and screwdrivers, bots come with numerous exploits and commands that allow bot herders to launch many different types of attacks.

Since coding up a bot client takes time and skill, most attackers buy bot code in the online underground. Popular malicious bots include Phatbot, Agobot, and the one shown in our video, Rxbot. These bot clients use modular code, so if a bot herder doesn’t love the array of commands his bot offers, he simply adds new ones. For examples, read on.

What pairs better than zombies and spam?

Bot herders commonly leverage their bots as huge spam relays. How huge? According to a recent study by Commtouch, 87% of all email sent over the Internet during 2006 was spam. This e-junk generated up to 1700 terabytes (1,700,000,000 megabytes) of Internet traffic every day. Botnets generated 85% of that spam, a tidal wave of unwanted mail.

Most bot code comes with at least a few commands to make spamming easier. Some bots are even optimized specifically for spamming. A bot herder using Phatbot can issue the command harvest.emails to collect every email address on a victim’s computer. If a Phatbot herder’s botnet consists of thousands of victim machines, he could quickly and easily create gi-normous email lists to later spam.

Agobot is customized for spamming. It even includes its own SMTP engine so that it can spam directly. Its email spamming commands allow an Agobot herder to tell each of his victim’s computers to:

• Download a list of email addresses to spam
• Download a template email message to send out
• Start sending out messages using many different email threads simultaneously
• Start and stop spamming when instructed to.

The bot in our video, Rxbot, is not considered a spamming bot. However, even it contains an elementary command that allows a bot herder to send an email from all his zombie victims.

I’m hiding behind my SOCKS

Many bots include a SOCKS server. SOCKS (an abbreviation for sockets) is a networking protocol designed to pass TCP traffic through a proxy server. In other words, if a client wanted to visit www.google.com using SOCKS, the client would send its request to a SOCKS server instead of to Google directly. The SOCKS server forwards that request to Google and returns the response to the client. However, to Google it looks as though the request came from the SOCKS server, not the actual client.

Bot herders love to use the SOCKS proxy to spam. A bot master simply enables the SOCKS proxy on one of his bots, then redirects his SOCKS-compatible, mass emailing program to the IP address of that bot. This causes the email program to send email using that bot as a relay. If an anti-spam program blacklists the bot’s IP address, the herder activates the SOCKS proxy on another bot, and his spam seems to originate from a new, clean IP address.

Furthermore, the bot herder can use a SOCKS proxy to anonymize just about any network traffic. And in Rxbot, for instance, activating the SOCKS proxy is simple: one six-letter command initiates all those anonymizing benefits.

Some bots have a Man-in-the-Middle

Bots also help herders launch Man-in-the-Middle (MitM) attacks. Most bots come with commands that allow their creators to redirect network traffic any way they like. For instance, a bot herder could tell a bot to redirect all its web traffic to his computer. Then, every time the unwitting victim (whose machine is hosting that bot) browses the Web, the attacker sees the traffic before forwarding it to its intended destination. This is one way bot masters capture sensitive information or steal login credentials.

Rxbot comes with the .redirect command. Herders can use this command to forward the network traffic destined for any TCP port, to any IP address they choose. Phatbot comes with additional redirect commands that allow it to forward GRE traffic, the special protocol used in establishing PPTP VPN connections. These examples merely hint at what a bot herder can accomplish with redirects.

Click Fraud and Poll Manipulation

Nowadays, the lure of illegal easy money motivates most bot herders. Our video shows how crooks can force their bots to click on revenue-generating Google ad words. As another example, Rxbot has a simple-yet-effective .visit command. If you send your bots this command, followed by a URL, they silently visit that URL. Here, silently is a technical term meaning the bot victim will not see her computer visit the URL. The visit happens in the background, without any web browser involvement. So, imagine you have 100,000 bots. With one command you could easily force all those bots to visit an online poll, vote, or game. If you wanted ToneDeaf UglyDork to win American Idol, you could command all your bots to visit the American Idol voting page and submit a vote. Since every vote would come from a different IP address, the results would look legitimate. And if the flaws in American e-voting aren’t fixed before 2008, bots just might elect ToneDeaf UglyDork as President, too.

Spam + IM = SPIM

Many IRC bots today have Instant Messenger (IM) and Peer-to-Peer (P2P) components in their attack arsenal. For instance, some bots allow you to send spam to IM channels (nicknamed SPIM ). Attackers commonly send malicious files or URLs to IM users, hoping to infect them with malware. Some bots incorporate commands that allow the bot herder to send these types of IM messages to his bots’ IM buddies. If those buddies then visit the URL or execute an attached file, they get infected with the herder’s bot and become minions in his botnet.

Some bots offer similar commands that help them spread via P2P applications. For instance, Agobot spreads by placing copies of itself in the share directories used by many popular P2P programs such as Kazaa and Limewire. The bot gives its file an enticing name, such as the title of a movie still in theaters. When someone downloads and runs this malicious trojan, their computer becomes another zombie.

Is it just me, or does it smell like bots in here?

In the video, we mentioned that many bots come with packet sniffers. Packet sniffers allow a bot master to see all of the network traffic that passes by his bots, and sometimes all the traffic that passes within the bot victim’s network as well. Attackers can learn a lot by sniffing a network. For instance, a bot herder might capture cleartext logins or see web cookies. They could even passively enumerate your infected network.

Agobot comes with some very advanced packet sniffing capabilities. Rather than sniffing and reporting every single packet, which creates volumes of junk for the herder to parse, Agobot allows a herder to sniff for specific strings or types of traffic. For example, you can command Agobot to capture all the web cookies it sees passing over a network. You can also specifically tell it to only sniff FTP, or IRC logins. In short, if something passes over a network in clear text, Agobot’s sniffing can pinpoint it.

Stay as sharp as the crooks

In our video and this article, we’ve listed the most common “Swiss Army blades” used in bots today. Since botnets are evolving fast, bots could have all-new blades tomorrow. For now, you can protect yourself best by understanding the threat — and following the defense measures we outline in “Malware Analysis: Botnets, Part 3.” Look for it on our Video Tutorials page beginning 17 October, 2007. #

Severity: High

9 October, 2007

Summary:

Today, Microsoft released three security bulletins describing vulnerabilities that affect Windows and components shipping with it. A remote attacker could exploit the worst of these flaws to execute code on your Windows PC, potentially gaining complete control of it. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for October and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.

Exposure:

Microsoft’s three security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. The summary below lists the vulnerabilities from highest to lowest severity.

MS07-055 : Kodak Image Viewer Remote Code Execution Vulnerability

The Kodak Image Viewer ships with Windows and allows you to view digital images. Unfortunately, the Kodak Image Viewer suffers from an unspecified “code execution vulnerability” involving the way it parses specially crafted images. By enticing one of your users into opening and viewing a malicious image (for example, one from a web site or attached to an email), an attacker could exploit this vulnerability to execute code on your user’s machine, with your user’s privileges. If your user has local administrative privileges, the attacker gains complete control of your user’s machine. Microsoft’s bulletin doesn’t specify exactly what sort of image file triggers this vulnerability, or whether it’s triggered only by Kodak image formats (KDC, KDK, KIC, etc) or more typical images formats (BMP, JPG, GIF, etc.). We have to assume that every image type that the Kodak Image Viewer handles could potentially trigger this flaw.
Microsoft rating: Critical .

MS07-056 : Outlook Express and Windows Mail NNTP Memory Corruption Vulnerability

Windows ships with either the Outlook Express (OE) or the Windows Mail (WM) email client to allow you to download and read your email. According to Microsoft, both these email clients suffer from a memory corruption vulnerability involving the way they handle the Network News Transfer Protocol (NNTP) . By enticing one of your users to a specially designed web page containing NNTP content, an attacker could exploit this vulnerability to execute code on that user’s computer with that user’s privileges. Since typical Windows users have local administrative privileges, attackers can usually exploit this flaw to gain complete control of Windows machines.
Microsoft rating: Critical.

MS07-058 : Microsoft RPC Denial of Service Vulnerability

Microsoft Remote Procedure Call (RPC) is a protocol that allows Windows servers and clients to communicate with one another, and execute programs over a network. The RPC service that ships with Windows suffers from an unspecified Denial of Service (DoS) vulnerability involving one of its authentication methods. By sending a specially crafted RPC packet, an attacker can exploit this vulnerability to restart your Windows systems. A persistent attacker could repeat this attack to keep your Windows systems offline for as long as he liked. However, most administrators block the Microsoft RPC ports (ports 135, 137, 138, 139, 445, and 592) at their firewall. Therefore, we consider this primarily an internal threat.

Solution Path

Microsoft has released patches for Windows to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Note : Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at their Product Support Services web site .

MS07-055 :

• 2000
• XP SP2
• Server 2003

Doesn’t affect Vista or 64-bit versions of Windows.

MS07-056 :

• 2000
  • Outlook Express (OE) 5.5
  • Outlook Express (OE) 6
• XP SP2 (OE6)
• XP x64 (OE6)
• Server 2003 (OE6)
• Server 2003 Itanium Edition (OE6)
• Server 2003 x64 (OE6)
• Vista (Windows Mail)
• Vista x64 (Windows Mail)

MS07-058 :

• 2000
• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64
• Vista
• Vista x64

For All WatchGuard Users:

WatchGuard Fireboxes, by default, reduce the risks presented by many of these vulnerabilities. However, attackers could exploit some of these flaws via normal web or email traffic. Because of the diversity of attack scenarios these vulnerabilities present, and the possibility of local (internal) attacks that do not pass through the firewall, we urge you to apply the patches above.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS07-055
• Microsoft Security Bulletin MS07-056
• Microsoft Security Bulletin MS07-058