MS-ISAC ADVISORY NUMBER:
2007-014

DATE(S) ISSUED:
6/12/2007

SUBJECT:
Multiple Remote Code Execution Vulnerabilities in Internet Explorer

OVERVIEW:
Five vulnerabilities have been found in Microsoft Internet Explorer that could allow arbitrary code execution. These vulnerabilities can be exploited if a user visits a malicious website or clicks on a link in an email. An attacker who successfully exploited a system with any of the five vulnerabilities mentioned below could take complete control of an compromised system. If the user that is running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

Proof of concept has been made publicly available for one of the vulnerabilities issued in this bulletin.

Note: This update replaces the previous cumulative update to Internet Explorer (MS07-027). This previous update was originally released on May 8, 2007.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows Vista
  • Microsoft Windows Vista x64 Edition
  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows Vista
  • Windows Internet Explorer 7 for Windows Vista x64 Edition

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

On June 12, 2007, Microsoft released Security Bulletin MS07-033, which contains five vulnerabilities found in Microsoft Internet Explorer that could allow arbitrary code execution on Microsoft systems.

COM Object Instantiation Memory Corruption Vulnerability
The first vulnerability is due to an error in the way Internet Explorer creates Component Object Model (COM) objects. COM objects are used to communicate between processes. Exploitation of this vulnerability occurs if a user visits a web site that contains malicious content, and could possibly lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.

CSS Tag Memory Corruption Vulnerability
The second vulnerability can be exploited by an attacker enticing a user to visit a specially crafted malicious web site. Internet Explorer will then mishandle the CSS tag included in the page. This can allow the attacker to execute arbitrary code on the system under the context of the current user.

Language Pack Installation Vulnerability
The third vulnerability exists in Internet Explorer in the way that it handles the language pack installation. When a user views a specially crafted web site, the vulnerability could allow for remote code execution. Successfully exploiting this vulnerability could allow an attacker to take complete control of an affected system. User interaction is required to exploit this vulnerability.

Uninitialized Memory Corruption Vulnerability
The fourth vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or that has been deleted. When a user views a specially crafted web site, the vulnerability could allow for remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Navigation Cancel Page Spoofing Vulnerability
A spoofing vulnerability exists in Internet Explorer that could allow an attacker to display spoofed content in a Navigation Canceled Page. When a user views a page specially crafted by the attacker, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Proof of concept has been made publicly available for this vulnerability.

An attacker who successfully exploited a system with any of the five vulnerabilities mentioned could take complete control of an affected system. If the user that is running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

RECOMMENDATIONS:
We recommend the following actions:

  • Apply the appropriate patch provided affected systems after appropriate testing. The patch can be obtained from http://www.microsoft.com/technet/security/bulletin/MS07-033.mspx(New Window)
  • Do not visit unknown or un-trusted web sites or follow links provided by unknown or un-trusted sources.
  • Educate users to not click on links contained in emails from untrusted sources.
  • Read email messages in Plain-text format.
  • Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet Zone.

REFERENCES:

Microsoft:
 http://www.microsoft.com/technet/security/bulletin/MS07-033.mspx(New Window) (External Link)

SecurityFocus:
 http://www.securityfocus.com/bid/24448
(New Window) http://www.securityfocus.com/bid/24372
(New Window) http://www.securityfocus.com/bid/24418
(New Window) http://www.securityfocus.com/bid/24423
(New Window) http://www.securityfocus.com/bid/24426
(New Window) http://www.securityfocus.com/bid/24429(New Window)

US-CERT:
 http://www.us-cert.gov/cas/techalerts/TA07-163A.html(New Window)

CVE:
 CVE-2007-0218(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0218
CVE-2007-1750(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1750
CVE-2007-1751(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1751
CVE-2007-1752(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1752
CVE-2007-2222(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2222
CVE-2007-3027(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3027


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.