Security Intelligence Operations

Microsoft Internet Explorer Visual Basic ActiveX Control Memory Corruption Vulnerability

Vulnerability Alert	Powered by

Threat Type:

Unintended Weakness: Arbitrary Code Execution

IntelliShield ID:	13941
Version:	3
First Published:	August 14, 2007 02:49 PM EDT
Last Published:	August 23, 2007 07:17 AM EDT
Vector:	Network
Authentication:	None
Exploit:	Unproven
Port:	Not Available
CVE:	CVE-2007-2216
BugTraq ID:	25289

Urgency:	Unlikely Use
Credibility:	Confirmed
Severity:	Moderate Damage
CVSS Base:	9.3	CVSS Calculator CVSS Version 2
CVSS Temporal:	6.9	CVSS Calculator CVSS Version 2


Version Summary:	Avaya has released a security advisory to address the Visual Basic TypeLib Information ActiveX Control memory corruption vulnerability in Microsoft Internet Explorer.

Description

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to cause the browser to terminate, or execute arbitrary code.

The vulnerability exists due to improper IObjectSafety properties on affected ActiveX controls. An unauthenticated, remote attacker could exploit this vulnerability by creating a malicious web page, which invokes the affected ActiveX objects, and convincing a user to visit such a website. If successful, the object instantiation may cause system memory corruption and allow the attacker to execute arbitrary code with the privileges of the user.

Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

Warning Indicators

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 are vulnerable on the following operating systems:

Microsoft Windows 2000 SP4 and prior
Microsoft Windows XP SP2 and prior
Microsoft Windows XP Professional x64 Edition SP2 and prior
Microsoft Windows Server 2003 SP2 and prior
Microsoft Windows Server 2003 for Itanium-based Systems SP2 and prior
Microsoft Windows Server 2003 x64 Edition SP2 and prior
Microsoft Windows Vista
Microsoft Windows Vista x64

IntelliShield Analysis

Only systems that contain the vulnerable libraries are vulnerable to an exploit. Systems most likely to contain these libraries are development systems that have Microsoft Visual Basic installed. However, the libraries may be bundled and redistributed with custom code and may exist on other systems.

Attackers will rely on user interaction to exploit this vulnerability. A successful exploit may enable the attacker to run arbitrary code with the privileges of the user who launched Internet Explorer. On systems that grant users Administrator privileges, the attacker could take complete control over an affected system.

The update available from Microsoft corrects this vulnerability by preventing the vulnerable ActiveX control from running within Internet Explorer.

Vendor Announcements

Microsoft has released a security bulletin at the following link: MS07-045

Avaya has released a security advisory at the following link: ASA-2007-364

Impact

An unauthenticated, remote attacker could exploit this vulnerability to cause Internet Explorer to terminate, or execute arbitrary code with the privileges of the user. The targeted user's privileges will determine the level of system compromise. If an affected system grants the user Administrator privileges, the attacker could take complete control of the system.

Technical Information

This vulnerability exists due to improper IObjectSafety properties on affected ActiveX controls. Although the affected control is not marked safe for scripting, the library improperly implements IObjectSafety restrictions, allowing an attacker to load this control within Internet Explorer.

The tblinf32.dll library, or the similar vstlbinf.dll library exist as part of Microsoft Visual Basic. The TypeLibInfoFromFile() function that is contained within either library accepts paths to remote locations as input. An unauthenticated, remote attacker could exploit this vulnerability by loading the affected control within a browser and supplying the control with a path to a remote, malicious file as part of a web page. By directing the control to a remote location, the attacker could cause a user's browser to load a malicious file, corrupting system memory. The resulting memory corruption could allow an attacker to cause Internet Explorer to terminate, or execute arbitrary code with the privileges of the user who launched the affected application.

Safeguards

Administrators are advised to apply the appropriate updates.

Users are advised not to open e-mail from untrusted sources.

Users are advised to run applications with the lowest necessary privileges.

Users are advised not to follow unsolicited links. Users should verify the authenticity of an unexpected link from a trusted source prior to following the link.

Administrators may consider disabling ActiveX.

Administrators may consider disabling the vulnerable ActiveX controls by enabling their kill bits in the Windows Registry via the following CLSIDs:

{8B217746-717D-11CE-AB5B-D41203C10000}
{8B217752-717D-11CE-AB5B-D41203C10000}
{8B21775E-717D-11CE-AB5B-D41203C10000}

Patches/Software

Microsoft has released updated software at the following links:

Signatures

Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
5888/0	TLBINF32.DLL COM Object Instantiation	S359	10/03/2008

Alert History

Version 2, August 20, 2007, 7:45 PM: Additional technical information is available regarding the Visual Basic TypeLib Information ActiveX Control memory corruption vulnerability.

Version 1, August 14, 2007, 2:49 PM: Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to cause the browser to terminate, or execute arbitrary code. Updates are available.

Product Sets

The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.	Internet Explorer	5.01 Base, SP1, SP2, SP3, SP4 \| 6.0 Base, SP1, SP2 \| 7.0 Base

Associated Products:
Avaya, Inc.	Customer Interaction Express (CIE)	1.0 .0, .2
Avaya, Inc.	Messaging Application Server	2.0 Base \| 3.0 Base \| 3.1 Base
Microsoft, Inc.	Windows 2000	Advanced Server Base, SP1, SP2, SP3, SP4 \| Datacenter Server Base, SP1, SP2, SP3, SP4 \| Professional Base, SP1, SP2, SP3, SP4 \| Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.	Windows Server 2003	Datacenter Edition Base, SP1, SP2 \| Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 \| Datacenter Edition x64 (AMD/EM64T) Base, SP2 \| Enterprise Edition Base, SP1, SP2 \| Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 \| Enterprise Edition x64 (AMD/EM64T) Base, SP2 \| Standard Edition Base, SP1, SP2 \| Standard Edition, 64-bit (Itanium) Base, SP1, SP2 \| Standard Edition x64 (AMD/EM64T) Base, SP2 \| Web Edition Base, SP1, SP2
Microsoft, Inc.	Windows Vista	Business Base \| Business x64 Edition Base \| Enterprise Base \| Enterprise x64 Edition Base \| Home Basic Base \| Home Basic x64 Edition Base \| Home Premium Base \| Home Premium x64 Edition Base \| Ultimate Base \| Ultimate x64 Edition Base
Microsoft, Inc.	Windows XP	Home Edition Base, SP1, SP2 \| Professional Edition Base, SP1, SP2 \| Professional x64 (AMD/EM64T) Base, SP2

LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Hierarchical Navigation

Security Intelligence Operations

Related Links

Feedback