CVE-2011-2016 | Windows - Windows Mail and Windows Meeting Space Operational Intel

Executive Risk Summary

"A vulnerability in Windows Mail and Windows Meeting Space allows local users to gain privileges via a Trojan horse DLL in the current working directory. This vulnerability can be exploited by placing a malicious DLL in a directory that contains a .eml or .wcinv file."

Anticipated Attack Path

1. An attacker places a malicious DLL in the current working directory
2. The attacker creates a .eml or .wcinv file in the same directory
3. Windows Mail or Windows Meeting Space loads the malicious DLL, allowing the attacker to execute arbitrary code

Am I Vulnerable?

Verify that the system is running Windows Vista SP2, Windows Server 2008 SP2, R2, or R2 SP1, or Windows 7 Gold or SP1
Check for the presence of a malicious DLL in directories containing .eml or .wcinv files
Apply the patch from MS11-085 to fix the vulnerability

Operational Audit Arsenal

Target Type Process

Target Asset winmail.exe

Standard Path C:\Program Files\Windows Mail

PowerShell

# 🛠️ Senior Engineer Universal Audit
# Target: winmail.exe (Process)
$Targets = 'winmail.exe'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}