Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

May, 2010

  • MS10-030: Malicious Mail server vulnerability

    Today we released the fix for CVE-2010-0816 in MS10-030. This vulnerability affects Outlook Express, Windows Mail, and Windows Live Mail. We recommend that you install the update as soon as possible, but realize that some customers may need to prioritize which updates they install first. While the vulnerability is rated critical, many customers may not be affected by it. This blog post should help you better understand the risk associated with this vulnerability.

    Windows 7

    Default installations of Windows 7 are not affected by this vulnerability because they do not include Windows Live Mail. Windows Live Mail is available as a free download for Windows 7, but is not included in the operating system by default.

    Attack scenarios

    • Attacker intercepts and manipulates a user’s POP3 or IMAP connection to a legitimate email server. (Man-in-the-middle attack)
    • Attacker entices a user to connect to a malicious email server using either the POP3 or IMAP protocol

    Non-vulnerable scenarios

    • It is not possible for an attacker to exploit this vulnerability by simply sending a malicious email.
    • If you use an affected email program, but do not use POP3 or IMAP (e.g. you connect to an Exchange Server), you are not affected by this vulnerability, although we still recommend that you install the update

    Attack vector details

    • Man-in-the-middle
      The most likely attack vector involves an attacker attempting to intercept and modify legitimate POP3 or IMAP communications going across an untrusted network, such as a Wi-Fi hotspot in a coffee shop. However, this attack would be less likely to succeed if those POP3 or IMAP sessions used SSL, an option available in your email account configuration if your server supports it.

    • Malicious email server
      A less likely attack vector involves an attacker convincing or forcing a user to connect to a malicious email server. Convincing a user to change their email client configuration to connect to a malicious email server would require significant social engineering, and so it is less likely to be successful. Forcing a user to connect to a malicious email server would require the attacker to be able to redirect the user’s connection attempt from a legitimate email server to a malicious one. However, to accomplish this attack, the attacker would either need access to the user’s local area network, or have some way to poison the DNS entry for the email server.

    Summary of risk

    POP3 / IMAP without SSL
    POP3 / IMAP with SSL
    All other protocols (e.g. Exchange)
    You only check email while connected to a trusted network connecting to a trusted email server Low risk Not affected Not affected
    You check email while connected to untrusted networks, such as public Wi-Fi networks in coffee shops Significant risk Not affected Not affected


    Thanks to Andrew Roths, Damian Hasse, and Fermin J. Serna for their contributions to this blog post.

    We hope you found this information helpful!

    -Kevin Brown, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • MS10-031: VBE6 Single-Byte Stack Overwrite

    Today we released bulletin MS10-031 addressing vulnerability CVE-2010-0815 in the VBE6.DLL library. VBE6.dll is part of Visual Basic Environment and can be used by many Microsoft products, including Microsoft Office. We wanted to share a little more detail about this vulnerability to help you make a risk decision regarding its exploitability.

    The vulnerability is a one-byte stack overwrite due to a code defect in text parsing code, with three additional conditions limiting attacker’s control:

    • The byte being overwritten must be equal to 0x2e (46 decimal)
    • The overwriting value is always zero
    • No zero byte can be present between the parsing buffer and the byte being overwritten (0x2e)

    In theory there are a few ways this vulnerability could be used in a successful exploit, yet all of them require very specific properties of the program (for an example: return address that does not start with 0x00 and includes 0x2e and after turning 0x2e into 0x00 points to a code usable by an exploit). Such properties, while possible, are unlikely to be found in practice.

    In our analysis, we feel that consistent exploit code resulting in arbitrary code execution is not likely to be released within the next 30 days. However, following our general guidelines, we have classified this vulnerability as exploitable with possibility for code execution.

    - Greg Wroblewski, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*