MS-ISAC ADVISORY NUMBER:
2007-019

DATE(S) ISSUED:
10/9/2007

SUBJECT:
Multiple Remote Code Execution and Spoofing Vulnerabilities in Internet Explorer

OVERVIEW:

Three vulnerabilities have been found in Microsoft Internet Explorer that could allow an attacker to take complete control of the affected system or to trick users into believing they are connected to a trusted web site. Two of these vulnerabilities make it easier for an attacker to create phishing web sites that appear to be legitimate sites by allowing an attacker to display a spoofed address in the browser's address bar. For example; while your browser may display www.eBay.com(New Window) , the actual website address could be www.malicous-site.com(New Window) . Exploits of this nature may increase the success rate of phishing attacks, because the attackers can change the web page address shown in the browser to anything they want.

SYSTEMS AFFECTED:

  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition and Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 and Service Pack 2
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition and Microsoft Internet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 x64 Edition Service Pack 2
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems and Windows Internet Explorer 7 Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Vista
  • Windows Internet Explorer 7 for Windows Vista x64 Edition

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Three vulnerabilities have been found in Microsoft Internet Explorer that could allow arbitrary code execution and address bar spoofing.

Address Bar Spoofing Vulnerabilities
Microsoft released information on two Internet Explorer vulnerabilities that allow an attacker to display a spoofed address in the browser's address bar. The user would only be able to see the address the attacker provides regardless of the site the user may currently be viewing. Specifically, the attacker could create a phishing site that would appear to be a valid web site and cause the address bar to also look valid. This may increase the success rate of phishing attacks.

Error Handling Memory Corruption Vulnerability
Microsoft also released information on a Memory Corruption Vulnerability. This vulnerability can be exploited by an attacker enticing a user to visit a specially crafted malicious web site. Successful exploitation would allow an attacker to execute arbitrary code on the system.

This bulletin replaces the previous cumulative update to Internet Explorer (MS07-045).

NOTE: Installing this patch will set the kill bit for the MSXML2 ActiveX control. Organizations using applications that require this ActiveX control may need to make application modifications and thoroughly test this patch before deployment.

RECOMMENDATIONS:
We recommend that the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Do not visit unknown or un-trusted Web sites or clink on links provided in an email -- to be safe type or cut and paste the URL into your browser.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/25915(New Window)
http://www.securityfocus.com/bid/25916(New Window)
http://www.securityfocus.com/bid/22680(New Window)
http://www.securityfocus.com/bid/24911(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1091(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3826(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3892(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3893(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.