Vulnerability Description
Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a Trojan horse wab32res.dll file in the current working directory, as demonstrated by a directory that contains a Windows Address Book (WAB), VCF (aka vCard), or P7C file, aka "Insecure Library Loading Vulnerability." NOTE: the codebase for this product may overlap the codebase for the product referenced in CVE-2010-3143.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Outlook Express | 6.00.2900.5512 |
| Microsoft | Windows 2003 Server | All versions |
| Microsoft | Windows 7 | All versions |
| Microsoft | Windows Server 2003 | All versions |
| Microsoft | Windows Server 2008 | All versions |
| Microsoft | Windows Vista | All versions |
| Microsoft | Windows Xp | All versions |
References
- http://secunia.com/advisories/41050Vendor Advisory
- http://www.attackvector.org/new-dll-hijacking-exploits-many/Exploit
- http://www.exploit-db.com/exploits/14745/Exploit
- http://www.securitytracker.com/id?1024878
- http://www.us-cert.gov/cas/techalerts/TA10-348A.htmlUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-09
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
- http://secunia.com/advisories/41050Vendor Advisory
- http://www.attackvector.org/new-dll-hijacking-exploits-many/Exploit
- http://www.exploit-db.com/exploits/14745/Exploit
- http://www.securitytracker.com/id?1024878
- http://www.us-cert.gov/cas/techalerts/TA10-348A.htmlUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-09
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
FAQ
What is CVE-2010-3147?
CVE-2010-3147 is a vulnerability with a CVSS score of 9.3 (HIGH). Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold,...
How severe is CVE-2010-3147?
CVE-2010-3147 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-3147?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Outlook Express, Microsoft Windows 2003 Server, Microsoft Windows 7, Microsoft Windows Server 2003, Microsoft Windows Server 2008.