Executive Summary
Summary | |
---|---|
Title | Microsoft Windows "MHTML" protocol handler fails to properly interpret HTTP header |
Informations | |||
---|---|---|---|
Name | VU#682825 | First vendor Publication | 2007-06-13 |
Vendor | VU-CERT | Last vendor Modification | 2007-06-21 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#682825Microsoft Windows "MHTML" protocol handler fails to properly interpret HTTP headerOverviewMicrosoft Windows "MHTML" protocol handler fails to properly interpret HTTP headers, which may cause information disclosure.I. DescriptionThe Microsoft Windows "MHTML" protocol handler contains an information disclosure vulnerability in the way that it interprets HTTP headers. The "MHTML" protocol handler fails to properly interpret HTTP headers when returning MHTML content, which may allow Internet Explorer to bypass Internet Explorer domain restrictions.II. ImpactBy convincing a user to visit a specially crafted website, a remote, unauthenticated attacker may be able to access sensitive information.III. SolutionApply an updateThis issue is addressed by Microsoft Security Bulletin MS07-034.
References
This vulnerability was reported in Microsoft Security Bulletin MS07-034. Microsoft thanks SANS ISC for their assistance. This document was written by Katie Steiner.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/682825 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:2045 | |||
Oval ID: | oval:org.mitre.oval:def:2045 | ||
Title: | URL Parsing Cross Domain Information Disclosure Vulnerability | ||
Description: | A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2007-2225 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | Microsoft Outlook Express |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2011-01-14 | Name : Microsoft Outlook Express/Windows Mail MHTML URI Handler Information Disclosu... File : nvt/gb_ms07-034.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
35345 | Microsoft Outlook Express / Windows Mail URL Parsing Cross Domain Information... |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2007-06-14 | IAVM : 2007-B-0011 - Multiple Vulnerabilities in Microsoft Outlook Express and Windows Mail Severity : Category II - VMSKEY : V0014354 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2007-06-12 | Name : Arbitrary code can be executed on the remote host through the email client. File : smb_nt_ms07-034.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-05-08 13:28:06 |
|