Vulnerability Description
Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Access | 2007 |
| Microsoft | Excel | 2003 |
| Microsoft | Frontpage | 2003 |
| Microsoft | Groove | 2007 |
| Microsoft | Infopath | 2003 |
| Microsoft | Office | 2007 |
| Microsoft | Office Communicator | 2007 |
| Microsoft | Onenote | 2003 |
| Microsoft | Outlook | 2003 |
| Microsoft | Powerpoint | 2003 |
| Microsoft | Project Professional | 2007 |
| Microsoft | Project Standard | 2007 |
| Microsoft | Publisher | 2003 |
| Microsoft | Sharepoint Designer | 2007 |
| Microsoft | Visio Professional | 2007 |
| Microsoft | Visio Standard | 2007 |
| Microsoft | Windows Live Mail | 2008 |
References
- http://securityreason.com/securityalert/3978
- http://www.securityfocus.com/archive/1/493947/100/0/threaded
- http://www.securityfocus.com/archive/1/494101/100/0/threaded
- http://www.securityfocus.com/bid/28548
- http://www.securitytracker.com/id?1019736
- http://www.securitytracker.com/id?1019737
- http://www.securitytracker.com/id?1019738
- https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
- https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
- https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
- https://www.cynops.de/techzone/http_over_x509.html
- https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt
- https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt
- https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt
- http://securityreason.com/securityalert/3978
FAQ
What is CVE-2008-3068?
CVE-2008-3068 is a vulnerability with a CVSS score of 7.5 (HIGH). Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate...
How severe is CVE-2008-3068?
CVE-2008-3068 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-3068?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Access, Microsoft Excel, Microsoft Frontpage, Microsoft Groove, Microsoft Infopath.