MS-ISAC ADVISORY NUMBER:
2007-010

DATE(S) ISSUED:
5/8/2007

SUBJECT:
Vulnerability in CAPICOM Could Allow Remote Code Execution

OVERVIEW:
A vulnerability exists in a Microsoft security technology called CAPICOM which allows application developers to easily incorporate digital signatures and encryption functionality into applications. The known vehicle for exploiting CAPICOM is though the web browser, Internet Explorer. If successfully exploited, a remote attacker can take complete control of the affected system.

Of particular importance is that the presence of CAPICOM on computers used by general users may be more wide spread than expected. For this reason, organizations should assume systems are vulnerable and apply the appropriate patches as soon as possible.

SYSTEMS AFFECTED:

  • CAPICOM
  • Platform SDK Redistributable: CAPICOM
  • BizTalk Server 2004 Service Pack 1
  • BizTalk Server 2004 Service Pack 2

In addition to the affected systems above, any system that has the affected CAPICOM.dll installed is potentially at risk and should be patched immediately.

RISK:
Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: High

DESCRIPTION:
This vulnerability exists in a Microsoft ActiveX control that enables applications to sign and validate Cryptographic API Component Object Model (CAPICOM) Certificates. Affected systems include CAPICOM.dll version 2.1.01 or lower. A system can be exploited by luring a user to visit malicious web sites with Internet Explorer containing ActiveX controls which employs the vulnerable dll to verify the CAPICOM certificates. These exploits could allow a remote attacker to execute arbitrary code on the system in the context of the current user.

Users of Internet Explorer 7 with the default install settings are not affected by this vulnerability. However, if this ActiveX control was used with CAPICOM in a previous version of Internet Explorer, then this ActiveX control is enabled to work in Internet Explorer 7 causing the upgraded version of Internet Explorer 7 to be vulnerable.

RECOMMENDATIONS:
We recommend the following actions be taken:

REFERENCES:
Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms07-028.mspx(New Window)
http://msdn2.microsoft.com/en-us/library/ms995332.aspx(New Window)

Security Focus:

http://www.securityfocus.com/bid/23782(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.