Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-3068

Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.

Published

2008-07-07T23:41:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	microsoft	access	2007	Yes
Application	microsoft	excel	2003	Yes
Application	microsoft	excel	2007	Yes
Application	microsoft	frontpage	2003	Yes
Application	microsoft	groove	2007	Yes
Application	microsoft	infopath	2003	Yes
Application	microsoft	infopath	2007	Yes
Application	microsoft	office	2007	Yes
Application	microsoft	office	2007	Yes
Application	microsoft	office_communicator	2007	Yes
Application	microsoft	onenote	2003	Yes
Application	microsoft	outlook	2003	Yes
Application	microsoft	outlook	2007	Yes
Application	microsoft	powerpoint	2003	Yes
Application	microsoft	powerpoint	2007	Yes
Application	microsoft	project_professional	2007	Yes
Application	microsoft	project_standard	2007	Yes
Application	microsoft	publisher	2003	Yes
Application	microsoft	publisher	2007	Yes
Application	microsoft	sharepoint_designer	2007	Yes
Application	microsoft	visio_professional	2007	Yes
Application	microsoft	visio_standard	2007	Yes
Application	microsoft	windows_live_mail	2008	Yes

References

http://securityreason.com/securityalert/3978 ([email protected])
http://www.securityfocus.com/archive/1/493947/100/0/threaded ([email protected])
http://www.securityfocus.com/archive/1/494101/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/28548 ([email protected])
http://www.securitytracker.com/id?1019736 ([email protected])
http://www.securitytracker.com/id?1019737 ([email protected])
http://www.securitytracker.com/id?1019738 ([email protected])
https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt ([email protected])
https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt ([email protected])
https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt ([email protected])
https://www.cynops.de/techzone/http_over_x509.html ([email protected])
https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt ([email protected])
https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt ([email protected])
https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt ([email protected])
http://securityreason.com/securityalert/3978 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/493947/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/494101/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/28548 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1019736 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1019737 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1019738 (af854a3a-2127-422b-91ae-364da2661108)
https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt (af854a3a-2127-422b-91ae-364da2661108)
https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt (af854a3a-2127-422b-91ae-364da2661108)
https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt (af854a3a-2127-422b-91ae-364da2661108)
https://www.cynops.de/techzone/http_over_x509.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt (af854a3a-2127-422b-91ae-364da2661108)
https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt (af854a3a-2127-422b-91ae-364da2661108)
https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt (af854a3a-2127-422b-91ae-364da2661108)