MS-ISAC ADVISORY NUMBER:
2007-014

DATE(S) ISSUED:
6/12/2007
6/14/2007 - Updated

SUBJECT:
Multiple Remote Code Execution Vulnerabilities in Internet Explorer

ORIGINAL OVERVIEW:
Five vulnerabilities have been found in Microsoft Internet Explorer that could allow arbitrary code execution. These vulnerabilities can be exploited if a user visits a malicious website or clicks on a link in an email. An attacker who successfully exploited a system with any of the five vulnerabilities mentioned below could take complete control of a compromised system. If the user is running Internet Explorer and is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.
Proof of concept code has been made publicly available for one of the vulnerabilities issued in this bulletin.

Note: This update replaces the previous cumulative update to Internet Explorer (MS07-027). This previous update was originally released on May 8, 2007.

JUNE 14 UPDATED INFORMATION:
New exploit code is available targeting one of the five vulnerabilities identified in this bulletin.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows Vista
  • Microsoft Windows Vista x64 Edition
  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows Vista
  • Windows Internet Explorer 7 for Windows Vista x64 Edition

RISK UNCHANGED FROM ORIGNIAL RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High

ORIGINAL DESCRIPTION:
On June 12, 2007, Microsoft released Security Bulletin MS07-033, which contains five vulnerabilities found in Microsoft Internet Explorer that could allow arbitrary code execution on Microsoft systems.

COM Object Instantiation Memory Corruption Vulnerability
The first vulnerability is due to an error in the way Internet Explorer creates Component Object Model (COM) objects. COM objects are used to communicate between processes. Exploitation of this vulnerability occurs if a user visits a web site that contains malicious content, and could possibly lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.

CSS Tag Memory Corruption Vulnerability
The second vulnerability can be exploited by an attacker enticing a user to visit a specially crafted malicious web site. Internet Explorer will then mishandle the CSS tag included in the page. This can allow the attacker to execute arbitrary code on the system under the context of the current user.

Language Pack Installation Vulnerability
The third vulnerability exists in Internet Explorer in the way that it handles the language pack installation. When a user views a specially crafted web site, the vulnerability could allow for remote code execution. Successfully exploiting this vulnerability could allow an attacker to take complete control of an affected system. User interaction is required to exploit this vulnerability.

Uninitialized Memory Corruption Vulnerability
The fourth vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or that has been deleted. When a user views a specially crafted web site, the vulnerability could allow for remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Navigation Cancel Page Spoofing Vulnerability
A spoofing vulnerability exists in Internet Explorer that could allow an attacker to display spoofed content in a Navigation Canceled Page. When a user views a page specially crafted by the attacker, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Proof of concept has been made publicly available for this vulnerability.

An attacker who successfully exploited a system with any of the five vulnerabilities mentioned could take complete control of an affected system. If the user that is running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

JUNE 14 UPDATED DESCRIPTION:

There are currently two exploits targeting the Microsoft Internet Explorer COM Object vulnerability. One exploit is reported to achieve code execution on Windows XP SP2, while the other targets Windows 2000 SP4. Both of the publicly available exploits rely on Active Scripting in order to exploit the vulnerability.

Both exploits target the Speech API 4 COM Object and exploit two specific .dll files, 'XListen.dll' and 'XVoice.dll'. These files are associated with the Windows Win32 Speech API (SAPI) version 4.0. Based on our analysis, this module does not appear to be installed by default on Windows XP SP2 systems. Therefore, in order to determine whether or not a system has the SAPI 4.0 module installed, the system should be checked for the presence of these two files:

WINDOWS/speech/Xvoice.dll
WINDOWS/speech/Xlisten.dll

Furthermore, later versions of the Speech API (versions 5.0 and 5.1) do not contain these two files and do not appear to be vulnerable to this particular proof of concept code.

RECOMMENDATIONS:
We continue to recommend the following actions:

  • Apply the appropriate patch provided affected systems after appropriate testing. The patch can be obtained from http://www.microsoft.com/technet/security/bulletin/MS07-033.mspx(New Window)
  • Do not visit unknown or un-trusted web sites or follow links provided by unknown or un-trusted sources.
  • Educate users to not click on links contained in emails from untrusted sources.
  • Read email messages in Plain-text format.
  • Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet Zone.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS07-033.mspx(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/24448(New Window)
http://www.securityfocus.com/bid/24372(New Window)
http://www.securityfocus.com/bid/24418(New Window)
http://www.securityfocus.com/bid/24423(New Window)
http://www.securityfocus.com/bid/24426(New Window)
http://www.securityfocus.com/bid/24429(New Window)

US-CERT:
http://www.us-cert.gov/cas/techalerts/TA07-163A.html(New Window)

CVE:
CVE-2007-0218(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0218
CVE-2007-1750(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1750
CVE-2007-1751(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1751
CVE-2007-1752(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1752
CVE-2007-2222(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2222
CVE-2007-3027(New Window) -- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3027


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.