Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Microsoft XML Core Services Memory Corruption Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Arbitrary Code Execution
IntelliShield ID:13935
Version:7
First Published:August 14, 2007 04:51 PM EDT
Last Published:June 25, 2008 06:57 AM EDT
Vector:Network
Authentication:None
Exploit:Proof-of-Concept
Port: Not Available
CVE:CVE-2007-2223
BugTraq ID:25301
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2
CVSS Temporal:7.3
 
Version Summary:

Microsoft has re-released a security bulletin with additional affected products and patches to address the Microsoft XML Core Services memory corruption vulnerability.
 
 
Description

Microsoft XML Core Services (MSXML) versions 3.0, 4.0, 5.0, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.

This vulnerability exists due to insufficient validation of scripts that use MSXML. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a malicious website. A script as part of this website could trigger the corruption of system memory, allowing the attacker to execute arbitrary code with the privileges of the user.

Proof-of-concept code that demonstrates the denial of service condition is available.

Microsoft has confirmed this vulnerability in a security bulletin and released software updates that correct it.
 
Warning Indicators

Microsoft XML Core Services versions 3.0, 4.0, 5.0, and 6.0 running on the following systems are vulnerable:

  • Windows 2000 SP4 and prior with XML Core Services 6.0 and prior
  • Windows XP SP2 and prior with XML Core Services 6.0 and prior
  • Windows XP SP3 with XML Core Services 4.0
  • Windows Server 2003 SP2 and prior with XML Core Services 6.0 and prior
  • Windows Server 2003 x64 Edition with XML Core Services 6.0 and prior
  • Windows Server 2003 Itanium-based systems with XML Core Services 6.0 and prior
  • Windows Server 2008 with Microsoft XML Core Services 4.0
  • Windows Server 2008 x64 Edition with Microsoft XML Core Services 4.0
  • Windows Server 2008 Itanium-based systems with Microsoft XML Core Services 4.0
  • Windows Vista with XML Core Services 6.0 and prior
  • Windows Vista SP1 with XML Core Services 4.0 
  • Windows Vista x64 Edition with XML Core Services 6.0 and prior
  • Windows Vista x64 Edition SP1 with XML Core Services 4.0
  • Expression Web
  • Office 2003 SP2 with XML Core Services 5.0
  • Word Viewer 2003 with XML Core Services 5.0
  • Office 2007 with XML Core Services 5.0 and prior
  • Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats 
  • Office SharePoint Server with XML Core Services 5.0
  • Office Groove Server 2007 with XML Core Services 5.0
 
IntelliShield Analysis

The affected XML components likely reside on every system that runs a current Microsoft-based operating system. However, attackers may not target critical systems because the vulnerability cannot be directly exploited and requires user interaction to be successful.

Based on available information, the affected parameter could be either the offset or count parameter of the substringData() method, with count being the most likely affected parameter. The substringData() method accepts input in the form of two parameters: offset data (the index of where to begin copying string input) and count data (how many characters to copy). As a result, an integer overflow issue is the likely result because these parameters only accept 32-bit signed integers as defined by Microsoft's XML documentation for substringData(). The resulting memory corruption is likely caused by the usage of a wrapped integer to perform a large memory copy operation.

As is typical of this class of vulnerability, the greatest threat of exploitation comes from users who follow links without thinking about the consequences. Attackers are likely to provide links to malicious sites using a variety of means, including providing links in e-mail, instant messaging, and postings to a public forum or newsgroup. Links may also be hosted on peer-to-peer sites. Such tactics may include the use of e-mail header spoofing in an attempt to ensure that e-mail messages appear to originate from trusted sources. Because this vulnerability has a strong user component, organizations that have implemented an ongoing and effective user education process are less likely to be affected.

The update available from Microsoft corrects this vulnerability by adding checks to properly validate memory requests.

Windows Vista-based systems that have applied the updated version of XML Core Services 4.0 may experience compatibility or reliability issues in some configurations. Microsoft has released Knowledge Base article 941833 and an associated hotfix to remedy the problem if it should arise.
 
Vendor Announcements

Microsoft has re-released a security bulletin at the following link: MS07-042 

Microsoft has released a knowledge base article to detail potential Windows Vista compatibility and reliability issues within the previous patches at the following link: 941833

Avaya has released a security advisory at the following link: ASA-2007-356 

US-CERT has released a vulnerability note at the following link: VU#361968

 
Impact

An unauthenticated, remote attacker could crash applications that use MSXML or execute arbitrary code with the privileges of the user. If the user holds administrative privileges, an attacker could gain complete control over the affected system.
 
Technical Information

This vulnerability exists due to insufficient validation of user-supplied input within scripts that leverage MSXML. MSXML allows the use of XML within applications and scripts that use JScript or Visual Basic. The affected component fails to properly validate user-supplied input that is passed to a parameter of the substringData() method of the XMLDOM object. When processing malformed scripts or XML documents that pass overly large values via the affected parameter to the affected method, MSXML may perform unsafe memory operations, resulting in the corruption of system memory.

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a website designed to execute a malicious script that makes calls to the MSXML component. An attacker could use the resulting system memory corruption to execute arbitrary code with the privileges of the user who opened the malicious document.
 
Safeguards

Administrators are advised to apply the appropriate software updates.

Administrators may consider disabling ActiveX controls and Active Scripting or enabling user prompts that would confirm the intention to execute such code.

Users are advised to read e-mail in plain text.

Users are advised not to visit untrusted websites.

Users are advised to run applications with the lowest necessary privileges.
 
Patches/Software

Microsoft has released updated software at the following links:

Microsoft has released a hotfix for Windows Vista-based systems that have applied the MS07-042 update for Microsoft XML Core Services 4.0 at the following link: Update for Microsoft XML Core Services 4.0 Service Pack 2


Signatures
 
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
6423/0Microsoft XML Core Services Integer OverflowS40405/27/2009
 
Alert History
 

Version 6, January 10, 2008, 3:04 PM: Microsoft has re-released a security bulletin with additional affected products and a patch to address the MIcrosoft XML Core Services memory corruption vulnerability.

Version 5, September 28, 2007, 9:35 AM: Microsoft has identified additional affected products and potential compatibility issues on Windows Vista-based systems that may arise after the XML Core Services 4.0 update has been applied.  Microsoft has re-released the MS07-042 security bulletin to address these issues.

Version 4, August 30, 2007, 5:17 PM: Avaya has released a security advisory to address the XML core services memory corruption vulnerability in Microsoft.

Version 3, August 17, 2007, 7:57 AM: Proof-of-concept code that demonstrates the XML core services memory corruption vulnerability in Microsoft is available.

Version 2, August 15, 2007, 4:56 PM: Additional technical information is available.  US-CERT has released a vulnerability note.

Version 1, August 14, 2007, 4:51 PM: Microsoft XML Core Services contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Updates are available.

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Microsoft XML Core Services3.0 Base | 4.0 Base, SP1, SP2 | 5.0 Base, SP1 | 6.0 Base

Associated Products:
Avaya, Inc.Customer Interaction Express (CIE)1.0 .0, .2
Avaya, Inc.Modular Messaging2.0 .1, Base, SP1, SP2, SP3, SP4 | 3.0 Base | 3.1 Base
Microsoft, Inc.Windows 2000Advanced Server Base, SP1, SP2, SP3, SP4 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2
Microsoft, Inc.Windows Server 2008Datacenter Edition Base | Datacenter Edition, 64-bit Base | Enterprise Edition Base | Enterprise Edition, 64-bit Base | Itanium-Based Systems Edition Base | Standard Edition Base | Standard Edition, 64-bit Base | Web Server Base | Web Server, 64-bit Base
Microsoft, Inc.Windows VistaBusiness Base, SP1 | Business x64 Edition Base, SP1 | Enterprise Base, SP1 | Enterprise x64 Edition Base, SP1 | Home Basic Base, SP1 | Home Basic x64 Edition Base, SP1 | Home Premium Base, SP1 | Home Premium x64 Edition Base, SP1 | Ultimate Base, SP1 | Ultimate x64 Edition Base, SP1
Microsoft, Inc.Windows XPHome Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?