MS-ISAC ADVISORY NUMBER:
2007-007

DATE(S) ISSUED:
2/14/2007

SUBJECT:
Multiple Remote Code Execution Vulnerabilities Exploitable through Internet Explorer

Three vulnerabilities have been found in Microsoft Internet Explorer that would allow an attacker to obtain complete control of the affected system. These vulnerabilities can be exploited if a user visits a malicious web site or a legitimate web site that may contain advertisements that have had malicious code inserted into them. Two of the three vulnerabilities have public exploit code available. Microsoft has released three security bulletins addressing each of the vulnerabilities. We are including the three security bulletins in one advisory since they share common exploit mechanisms, workarounds, risk potential; and to emphasize that they should all be applied together to effectively protect users .

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
  • Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
  • Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems
  • Microsoft Data Access Components 2.7 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Server 2003 x64 Edition

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Three new vulnerabilities have been found to be exploitable through Microsoft Internet Explorer that would allow arbitrary code execution on Microsoft systems.

The first vulnerability (MS07-008) is due to a flaw in the HTML Help ActiveX control. Exploitation of this vulnerability could occur if a user visits a Web site that contains malicious content, and could lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.

The second vulnerability (MS07-009) exists in the ADODB.Connection ActiveX control that is included in Internet Explorer as part of Microsoft Data Access Components (MDAC). A Web site that hosts malicious code can pass unexpected data to the aforementioned ActiveX control which could cause Internet Explorer to fail in a way that would allow code execution.

The third vulnerability (MS07-016) exists Internet Explorer in the way the browser instantiates certain COM objects as ActiveX controls. If a malicious COM object is read by Internet Explorer, it may corrupt the system state in a way that an attacker could execute arbitrary code. This COM object could be placed on either a Web site that hosts user-posted content or on a site contains malicious content.

Note: By default, Server 2003 runs Internet Explorer in a restricted mode that sets the security level to high. This prevents users from going to sites that have not been added to the trusted zone. Internet Explorer 7, by default, does not include COM Objects in the allow-list for ActiveX controls. However, if the user had upgraded from a previous version of Internet Explorer that had allowed these COM Objects, the COM Objects will still be allowed in Internet Explorer 7. In this case the user would have to disable the COM Objects for their ActiveX controls.

An attacker who successfully exploited a system with any of the three vulnerabilities mentioned could take complete control of an affected system. If the user running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate patches provided by Microsoft to vulnerable systems as soon as possible after appropriate testing.
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.

REFERENCES:
HTML Help ActiveX Control Vulnerability
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms07-008.mspx(External Link)
http://www.microsoft.com/technet/security/bulletin/ms07-009.mspx(External Link)
http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx(External Link)

SecurityFocus:
http://www.securityfocus.com/bid/22478(External Link)
http://www.securityfocus.com/bid/20704(External Link)
http://www.securityfocus.com/bid/22486(External Link)

US-CERT:
http://www.kb.cert.org/vuls/id/563756(External Link)
http://www.kb.cert.org/vuls/id/589272(External Link)
http://www.kb.cert.org/vuls/id/753924(External Link)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0214(External Link)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5559(External Link)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4697(External Link)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0219(External Link)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0217(External Link)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.