Remote Information Disclosure in Microsoft Crypto API Used in Office and Outlook
CVE-2008-3068

Currently unrated

Key Information:

Vendor: Microsoft
Status: Frontpage; Sharepoint Designer; Office Communicator; Access
Vendor: CVE Published:; 7 July 2008

Summary

The Microsoft Crypto API, utilized in Outlook, Windows Live Mail, and Office 2007, is susceptible to a vulnerability that allows remote attackers to exploit Certificate Revocation List (CRL) checks. By using a maliciously crafted certificate containing an Authority Information Access (AIA) extension, attackers can obtain sensitive information such as reading times, IP addresses of email recipients, and results of port scans. This highlights significant security concerns surrounding the handling of S/MIME email messages and digitally signed documents.

References

https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt

x_refsource_MISC

http://securityreason.com/securityalert/3978

third-party-advisoryx_refsource_SREASON

http://www.securityfocus.com/archive/1/494101/100/0/threaded

mailing-listx_refsource_BUGTRAQ

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jul 7, 2008
Vulnerability Reserved
Jul 7, 2008