Today we released the fix for CVE-2010-0266, an Important severity vulnerability in Microsoft Office Outlook.  Yorick Koster working with the SSD/SecuriTeam Secure Disclosure program reported this issue.

 

What’s the risk?

 

This vulnerability enables an attacker to spoof a dangerous e-mail attachment to appear legitimate / benign.  If a victim user were to open the attachment, code from a remote UNC path could execute without prior warning. 

 

UNC paths are commonly known to reference SMB resources.  However, edge firewalls typically block SMB, so SMB is less likely to be used for Internet-based attacks.  That said, UNC paths can also access resources via HTTP.  On Windows XP and more recent platforms, the WebDAV mini-redirector (a.k.a. the WebClient service) enables web content to be accessed via UNC paths.  This is more likely to pass through firewalls as WebDAV is an extension of HTTP and commonly traverses port 80 like web browser traffic.

 

To see the WebDAV mini-redirector in action, try the following:

  1.  Launch Fiddler to observe HTTP traffic.
  2. From the Start menu in Windows Explorer, open “Run…”
  3. Observe the contents of the live.sysinternals.com “file share” is displayed in Explorer.
  4. Also observe the HTTP traffic associated with the resulting WebDAV requests.

 

How can I protect myself?

 

First, we recommend applying the update as soon as possible.  If you are not able to apply the update there is a workaround that can help protect your environment from WebDAV-based attacks.  While this won’t prevent all attacks it will block the most likely vector for Internet-based attacks.

 

 

Workaround - Disable the WebClient Service

 

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it will still be possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

 

To disable the WebClient Service, follow these steps:

  1. Click Start, click Run, type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

 

Impact of workaround

 

When the Web Client service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. If the Web Client service is disabled, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

 

How to undo the workaround.

 

To enable the WebClient Service, follow these steps:

  1. Click Start, click Run, type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Automatic. If the service is not running, click Start.
  4. Click OK and exit the management application.

 

Thanks to Kevin Brown, Naveen Palavalli, and Andrew Roths for contributing to this blog post.

 

- David Ross, MSRC Engineering