Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2008-037

DATE(S) ISSUED:
11/11/2008

SUBJECT:
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

OVERVIEW:

Three vulnerabilities have been discovered in Microsoft XML Core Services (MSXML). This is a set of services which is installed by default on all Windows systems, and is used to enhance the user experience on web pages. The identified vulnerabilities may be exploited if a user visits a specifically crafted web page or opens a specially crafted HTML formatted email which could allow an attacker to take complete control of an affected system. For one of the vulnerabilities, successful exploits will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrative privileges, an attacker could then install programs; view, change, or delete; or create new accounts with user rights. The remaining two vulnerabilities will lead to information disclosure.

SYSTEMS AFFECTED:

• Microsoft XML Core Services 3.0
• Microsoft XML Core Services 4.0
• Microsoft XML Core Services 5.0
• Microsoft XML Core Services 6.0
• Windows 2000
• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Microsoft Office

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Three vulnerabilities have been discovered in Microsoft XML Core Services that could allow an attacker to take complete control of an affected system. These vulnerabilities may be exploited if a user visits a specifically crafted web page or opens a specially crafted HTML formatted email. Details of these vulnerabilities are:

MSXML Memory Corruption Vulnerability:
Remote code can be executed due to the way XML content is parsed by Microsoft XML Core Services 3.0. Successful exploits will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrative privileges, an attacker could then install programs; view, change, or delete; or create new accounts with user rights.

MSXML DTD Cross-Domain Scripting Vulnerability:
A vulnerability exists in the way MSXML (4.0, 5.0, 6.0) handles external Document Type Definitions (DTDs) which could allow for a violation in the cross domain policy within the web browser. Successful exploits could result in information disclosure.

MSXML Header Request Vulnerability:
MSXML (4.0, 5.0, 6.0) is prone to a vulnerability because it fails to properly handle HTTP request fields which are sent by clients that will allow for session state corruption. Successful exploits could result in information disclosure.

Please note that installation of newer versions of MSXML does not overwrite or remove older version which are still vulnerable. Applying the patch will update all versions on the system.

The patches available in this bulletin replace the patches found in MS07-042.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Read all e-mail messages in plain text.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-069.mspx

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0099
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4029
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4033

Secunia:
http://secunia.com/advisories/23655

SecurityFocus:
http://www.securityfocus.com/bid/21872

Copyright © 2009 - Privacy Policy - Contact Us