HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-130
Windows Address Book Contact Record Vulnerability

Original Issue Date: December 13, 2006

Severity Rating: Medium

Systems Affected

  • Microsoft Outlook Express 5.5 Service Pack 2 on Windows 2000 Service Pack 4
  • Microsoft Outlook Express 6 Service Pack 1 on Windows 2000 Service Pack 4
  • Microsoft Outlook Express 6 on Windows XP Service Pack 2
  • Microsoft Outlook Express 6 on Windows XP Professional x64 Edition
  • Microsoft Outlook Express 6 on Windows Server 2003
  • Microsoft Outlook Express 6 on Windows Server 2003 Service Pack 1
  • Microsoft Outlook Express 6 on Windows Server 2003 x64 Edition
  • Microsoft Outlook Express 6 on Windows Server 2003 (Itanium)
  • Microsoft Outlook Express 6 on Windows Server 2003 SP1 (Itanium)

Overview

A buffer overflow vulnerability has been reported in Microsoft Outlook Express which could be exploited by an attacker to take complete control of the system.

Description

Windows Address Book (WAB) is an application provided by Windows for storing contact information.

The vulnerability is caused due to a buffer overflow error in Windows Address Book within Outlook Express.

The attacker could exploit this vulnerability by creating and sending specially crafted WAB file to vulnerable system. Successful exploitation allow an attacker to take complete control of the system.

It may be noted that successful exploitation require the user of the affected system to be logged in with administrative privileges.

Workaround

Back up and remove the .wab file association.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-076

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms06-076.mspx

Reference

FrSIRT
http://www.frsirt.com/english/advisories/2006/4969

CVE Name
CVE-2006-2386

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003