CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 2nd, 2008

Microsoft Office S/MIME Processing Remote Users Vulnerability

Alexander Klink of Cynops GmbH reported a new vulnerability in Microsoft Office. Remote user can access arbitrary URLs via the target user’s system. A specially crafted S/MIME signed document can be created, that, when opened by the target user, will cause the target user’s system to access arbitrary HTTP URLs specified by the certificate.

When opening a document with a digital signature, Office 2007 attempts to use the additional URLs contained in the certificate to download information relevant for the verification of the certificate. It will automatically send out HTTP requests to any location that is reachable from the client – which might include networks previously unreachable to an attacker.

Results are unnoticed access to both external or internal web servers, which in turn could be attacked using other vectors and – in the simplest case – an “opening confirmation”, which is often undesired by the recipient as well (as it can be used to track who opened which document at what time).

The access is performed by the Microsoft Cryptographic API via the authorityInfoAccess caIssuers extension. A remote user may be able to exploit this to conduct port scanning against arbitrary systems.

Demonstration exploit: http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
Original advisory: https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
Solution:  No solution was available at the time of this entry.

The vendor was notified on March 18, 2008 and for now this vulnerability remains unpatched.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • del.icio.us
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • TwitThis
  • Facebook
  • LinkedIn

More on CyberInsecure:
  • Microsoft Office Snapshot Viewer ActiveX Control Vulnerability
  • Microsoft’s Patch Fix Critical Vulnerabilities In IE And Office
  • Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit
  • Microsoft Patches Windows Worm And Drive-by Download Vulnerabilities
  • Microsoft Word Unspecified Remote Code Execution Vulnerability

    • Posted in Microsoft, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Wednesday, April 2nd, 2008 at 2:30 am and is filed under Microsoft, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft Office S/MIME Processing Remote Users Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « « Recent Security Breach In Okemo Mountain Resort
    USB Autorun Malware On The Rise » »