CVE-2008-3068 Information

Description

Microsoft Crypto API 5.131.2600.2180 through 6.0 as used in Outlook Windows Live Mail and Office 2007 performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document which allows remote attackers to obtain reading times and IP addresses of recipients and port-scan results via a crafted certificate with an Authority Information Access (AIA) extension.

Reference

http://securityreason.com/securityalert/3978 http://www.securityfocus.com/archive/1/493947/100/0/threaded http://www.securityfocus.com/archive/1/494101/100/0/threaded http://www.securityfocus.com/bid/28548 http://www.securitytracker.com/id?1019736 http://www.securitytracker.com/id?1019737 http://www.securitytracker.com/id?1019738 https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt https://www.cynops.de/techzone/http_over_x509.html https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt