Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3068

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-3068
Last Modified 30 Oct 2012 10:59:15
Published 07 Jul 2008 07:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-3068

Summary

Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.

Vulnerable Systems

Application

  • Microsoft Access 2007

  • Microsoft Excel 2003

  • Microsoft Excel 2007

  • Microsoft Frontpage 2003

  • Microsoft Groove 2007

  • Microsoft Infopath 2003

  • Microsoft Infopath 2007

  • Microsoft Office 2007

  • Microsoft Office Communicator 2007

  • Microsoft Onenote 2003

  • Microsoft Outlook 2003

  • Microsoft Outlook 2007

  • Microsoft Powerpoint 2003

  • Microsoft Powerpoint 2007

  • Microsoft Project Professional 2007

  • Microsoft Project Standard 2007

  • Microsoft Publisher 2003

  • Microsoft Publisher 2007

  • Microsoft Sharepoint Designer 2007

  • Microsoft Visio Professional 2007

  • Microsoft Visio Standard 2007

  • Microsoft Windows Live Mail 2008


References

MISC - https://www.cynops.de/techzone/http_over_x509.html

MISC - https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt

MISC - https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt

MISC - https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt

BID - 28548

BUGTRAQ - 20080709 Re: Unauthorized reading confirmation from Outlook

BUGTRAQ - 20080703 Unauthorized reading confirmation from Outlook

SREASON - 3978

SECTRACK - 1019738

SECTRACK - 1019736

SECTRACK - 1019737


Last Updated: 27 May 2016 11:01:18