CVE-2011-2016

Vulnerability

An untrusted search path vulnerability exists in Windows Mail and Windows Meeting Space on Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 [1]. The vulnerability occurs because these applications load external libraries without first ensuring the library path is secure. When a user opens a legitimate .eml or .wcinv file from a network directory or WebDAV share, the application may load a malicious DLL located in the same directory, leading to arbitrary code execution.

Exploitation

To exploit this vulnerability, an attacker must place a specially crafted DLL and a legitimate .eml or .wcinv file in a remote file system location (e.g., a network share or WebDAV). The attacker then convinces the user to open the file from that location. When Windows Mail or Windows Meeting Space loads the file, it searches the current working directory for required DLLs and loads the attacker's malicious DLL instead of the intended library. No additional authentication is required beyond the user's actions [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the current user. If the user has administrative rights, the attacker can gain complete control over the affected system, including installing programs, viewing or modifying data, and creating new accounts with full user rights. The impact is limited to the user's privilege level [1].

Mitigation

Microsoft released security update MS11-085 in November 2011 to address this vulnerability. The update corrects how Windows Mail and Windows Meeting Space load external libraries. Users should install the update via Windows Update or manually. As a workaround, users should avoid opening .eml or .wcinv files from untrusted network locations. No other mitigations are necessary [1].