Remote Code Execution Vulnerability Discovered in Microsoft Windows Mail and Meeting Space Applications
( Microsoft Security Bulletin MS11-085, CVE-2011-2016 )
Summary
A remote code execution vulnerability has been reported in Microsoft Windows Mail and Windows Meeting Space. The Check Point IPS Software Blade provides network protection against this issue in the latest IPS update.
Details
Windows Mail, formerly known as Outlook Express, is an online communication tool for use with Windows. Windows Meeting Space allows Windows Vista users the ability to share documents, programs, and desktops.
The vulnerability can allow remote code execution if a user opens a legitimate file (such as a .eml or .wcinv file) that is located in the same network directory as a maliciously crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained.
Affected Products
The following operating systems are affected by this issue:
- Windows Vista SP2 and Vista x64 Edition SP 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems - original release and Service Pack 1
- Windows 7 for x64-based Systems - original release and Service Pack 1
- Windows Server 2008 R2 for x64-based Systems - original release and Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems - original release and Service Pack 1
Solution
The patch described in Microsoft Security Bulletin MS11-085 should be deployed as soon as is practical. In the meantime, the Check Point IPS Software Blade and NGX SmartDefense provide immediate network protection for unpatched systems by detecting and blocking attempts to transfer malicious DLL files over the CIFS and WebDAV protocols. For more information, consult CPAI-2011-506.
Originally Published:
Last Updated: 08-Nov-2011