MS-ISAC ADVISORY NUMBER:
2007-012 Updated

DATE(S) ISSUED:
5/8/2007 - Updated

SUBJECT:
Multiple Remote Code Execution Vulnerabilities in Internet Explorer

OVERVIEW:
Microsoft has released Security Bulletin (MS07-027) which announces a cumulative security update for Internet Explorer. This advisory addresses five vulnerabilities found in Microsoft Internet Explorer.

An attacker may exploit these vulnerabilities by convincing a user to visit a malicious web site. If successful, the attacker will be able to take complete control of the affected system with the same user rights as the logged-on user.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Server 2003 x64 Edition

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Five vulnerabilities have been found in Microsoft Internet Explorer that could allow arbitrary code execution on Microsoft systems.

COM Object Instantiation Memory Corruption Vulnerability
The first vulnerability is due to an error in the way Internet Explorer creates Component Object Model (COM) objects. COM objects are used to facilitate inter-process communication. Exploitation of this vulnerability could occur if a user visits a web site that contains malicious content which could lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.

Uninitialized Memory Corruption Vulnerability
The second vulnerability can be exploited by an attacker creating a website containing malicious content. When a user visits this malicious site, Internet Explorer will attempt to access an object which has already been deleted or incorrectly created which would allow the attacker to execute arbitrary code on the affected system.

Property Memory Corruption Vulnerability
A vulnerability exists in the way Internet Explorer handles a property method. An attacker can exploit this vulnerability to corrupt data contained in memory on the target machine. Successful exploitation will allow the attacker to execute code remotely with the same permissions as the local user.

HTML Objects Memory Corruption Vulnerability
Several vulnerabilities exist in Internet Explorer due to the application attempting to access un-initialized regions of memory. As in the previous vulnerabilities, this flaw can be leveraged to allow execution of remote code on the victim's machine.

Arbitrary File Rewrite Vulnerability
A remote execution vulnerability exists in an unspecified Internet Explorer media service component. This vulnerability can also be exploited by convincing the victim to visit a malicious website.

Note: By default, Server 2003 runs Internet Explorer in a restricted mode that sets the security level to high. This prevents users from going to sites that have not been added to the trusted zone. Internet Explorer 7, by default, does not include COM Objects in the allow-list for ActiveX controls. However, if the user had upgraded from a previous version of Internet Explorer that had allowed these COM Objects, the COM Objects will still be allowed in Internet Explorer 7. In this case the user would have to disable the COM Objects for their ActiveX controls.

An attacker who successfully exploited a system with any of the five vulnerabilities mentioned could take complete control of an affected system. If the user running Internet Explorer is logged in with administrator privileges, the attacker could then have full account privileges.

Note: This Microsoft Security Bulletin replaces the previous cumulative update to Internet Explorer (MS07-016). This previous update was originally released on February 13, 2007.

RECOMMENDATIONS:
We recommend that the following actions be taken:

  • Apply all the appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing: http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx(New Window)
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.

REFERENCES:
HTML Help ActiveX Control Vulnerability

Microsoft:
 http://www.microsoft.com/technet/security/bulletin/ms07-008.mspx(New Window)
http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx(New Window)
http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx(New Window)

SecurityFocus:
 http://www.securityfocus.com/bid/23772(New Window)
http://www.securityfocus.com/bid/23771(New Window)
http://www.securityfocus.com/bid/23769(External Link)
http://www.securityfocus.com/bid/23770(New Window)

US-CERT:
 http://www.us-cert.gov/cas/techalerts/TA07-128A.html(New Window)

CVE:
 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0942(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0944(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0945(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0946(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0947(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2221(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.