Hello again... this month's update contains 6 advisories with atotal of 15 patched vulnerabilities. Major apps for this month wereonce again IE and Outlook/Windows Mail, coming in with 6 and 4 patchedvulnerabilities respectively. This month we also see updates forfile-based attack vectors against Visio, remotely exploitablevulnerabilities in both a dev library and a security package patched,and a fairly low profile information disclosure vulnerability in Vistadealt with.
As usual details are given below in order of descending urgency. Happypatching, and we'll be back for another round next month...
MS07-034; KB929123
Cumulative Security Update for Outlook Express and Windows Mail
This release addresses four issues in Windows Mail (vista) andOutlook Express 6 (all others). It also replaces previous bulletinsMS06-016, Ms06-043, and MS06-076. Three of the four issues are variousways attackers can access cookies and other information from otherdomains via manipulation of MHTML references.
• Microsoft Windows Vista Windows Mail Local File Execution Vulnerability
BID 23103; CVE: CVE-2007-1658
(Symantec Urgency Rating: 8.5; MS Rating: Critical)
This issue was first disclosed on Mar 23 2007, and affects only the Vista mail client.
Microsoft Vista Windows Mail executes any scripts or program files thathave an associated folder with the same name. An attacker must entice avictim into opening a maliciously crafted link using the affectedapplication. When the issue is triggered, the attacker-requested fileruns without requiring any further actions by the user.
Attackers may exploit this issue to execute local or locally-accessible files, including those on network shares.
• Outlook Express MHTML URI Handler Information Disclosure Vulnerability
BID 17717; CVE: CVE-2006-2111
(Symantec Urgency Rating: 7.5; MS Maximum Rating: Important)
This vulnerability has been public knowledge since Apr 27 2006. Sincethen there had been some debate about whether browsers were affecteddirectly, and if IE7 was vulnerable - this was clarified in a blog postfrom MS in October, and is now patchable.
Outlook Express and Windows Mail are prone to a cross-domaininformation-disclosure vulnerability. The problem is that the browserfails to correctly handle redirections with the 'mhtml:' URI handler.
This vulnerability can occur when a user follows a 'mhtml:' link on amalicious page that leads to a site in another domain. Attackers couldexploit this issue to gain access to sensitive information (such ascookies or passwords) that is associated with the external domain.
• Microsoft Outlook Express MHTML URL Redirect Information Disclosure Vulnerability
BID 24392; CVE: CVE-2007-2225
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Important)
Outlook Express is prone to a cross-domain information-disclosurevulnerability. The MHTML protocol handler permits encoded documents tobe rendered in applications.
This vulnerability can occur when a user follows an 'mhtml:' link in anHTML email or on a malicious page. Attackers could exploit this issueto gain access to sensitive information (such as cookies or passwords)that is associated with the external domain.
• Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability
BID 24410; CVE: CVE-2007-2227
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Moderate)
This is the third and last of the cross-domain information disclosure issues, again related to MHTML handling.
MS07-031;KB935840
Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution
This affects all currently supported Microsoft operating systems upto (but not including) Vista. The impact potential is dependant on thetarget OS; XP can be caused to execute arbitrary code; all others canbe crashed remotely. Due to this discrepancy, the MS rating isdifferent per platform - Critical on XP, Moderate or Important on therest.
• Microsoft Windows Schannel Security Remote Code Execution Vulnerability
BID 24416; CVE: CVE-2007-2218
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
The Microsoft Windows Schannel security package is used to provide 128-bit strong encryption in Internet Explorer.
An attacker can exploit a vulnerability in this package by enticing avictim into visiting a malicious web page. This vulnerability occursduring the processing and validation of server-sent digital signaturesby the client application. Expect to see exploits for this added to thecurrently available browser attack toolkits in the near future.
MS07-035;KB935839
Vulnerability in Win 32 API Could Allow Remote Code Execution
• Microsoft Win32 API Parameter Validation Remote Code Execution Vulnerability
BID 24370; CVE: CVE-2007-2219
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
This was originally disclosed in April of this year. The library isprone to a remote code-execution vulnerability. Specifically, thisvulnerability occurs when the Win32 API component parses unspecifiedparameters that are passed to it from other applications such asInternet Explorer. An attacker may trigger this vulnerability byconvincing a victim user to follow a malicious URI, ultimatelyresulting in the execution of attacker-supplied code.
MS07-033;KB933566
Cumulative Security Update for Internet Explorer
This update addresses 6 vulnerabilities in IE, and replaces MS07-027as well. IE versions 5 to 7 are all affected. Details on some of theseare still limited, and the BID writeups will be updated as moreinformation becomes available. All of these are rated "Important" byMicrosoft on the Server 2003 platform due to the availability ofEnhanced Security Configuration.
• Microsoft Internet Explorer Unspecified Uninitialized Memory Corruption Vulnerability
BID 24418; CVE: CVE-2007-1751
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
Microsoft Internet Explorer is prone to a memory-corruptionvulnerability when accessing objects that are improperly instantiatedor deleted.
• Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability
BID 24423; CVE: CVE-2007-1750
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
Microsoft Internet Explorer fails to properly handle certain CSS data.
• Microsoft Internet Explorer Speech API 4 COM Object Instantiation Memory Corruption Vulnerability
BID 24426; CVE: CVE-2007-2222
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
Microsoft Internet Explorer is prone to a memory-corruption vulnerability when instantiating certain COM objects.
The vulnerability exists in the speech control of the Speech API 4. Thefollowing COM object CLSIDs and corresponding DLLs are affected:
- {4E3D9D1F-0C63-11D1-8BFB-0060081841DE}, Xlisten.dll
- {EEE78591-FE22-11D0-8BEF-0060081841DE}, Xvoice.dll
• Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability
BID 24372; CVE: CVE-2007-0218
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
This issue occurs because of the flawed manner in which certain COMobjects (which were not intended to be instantiated from a browser)return values to the browser when called by a web page. These COMobjects are located in the 'urlmon.dll' library.
The following CLSIDs are affected:
- {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
- {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
- {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B}
- {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B}
- {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
- {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
- {3DD53D40-7B8B-11D0-B013-00AA0059CE02}
• Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability
BID 24429; CVE: CVE-2007-3027
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)
Microsoft Internet Explorer is prone to remote code-executionvulnerability because of a race condition in its language-packinstallation support.
Specifically, this issue occurs when Internet Explorer attempts torender an HTML document that requires language character sets that donot already exist on the affected computer. In this scenario, aninstall-on-demand feature attempts to download and install the requiredfiles. A race-condition may occur when multiple language packs aresimultaneously installed, potentially resulting in memory corruption.
• Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting Vulnerability
BID 22966; CVE: CVE-2007-1499
(Symantec Urgency Rating: 6.1; MS Maximum Rating: Critical)
This issue was publicly disclosed in March of this year. MicrosoftInternet Explorer versions 5 to 7 (inclusive) are prone to awebpage-spoofing vulnerability in the "Navigation cancelled" page. Thisissue arises when rendering the local 'Navigation Canceled' resourcepage 'res://ieframe.dll/navcancel.htm'.When page navigation iscanceled, the intended URI path is appended to the local resource pathfollowing a '#' character (e.g.'res://ieframe.dll/navcancel.htm#http://www.example.com'). A 'Refreshthe page' web link is generated and rendered on the page. Arbitraryscript code contained in the destination URI will be executed when auser follows the link. An attacker can exploit this issue to stealcookie-based authentication credentials and obtain sensitiveinformation that may aid in further attacks.
MS07-030;KB927051
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution
Two previously unpublished issues in Visio get addressed this month,both of which can allow for arbitrary code execution in the context ofthe victim user. Visio 2002 and 2003 are affected; Visio 2007 is not.Attacks can come in the form of .VSS, .VST, or .VSD files for both ofthem.
• Microsoft Visio Packed Objects Remote Code Execution Vulnerability
BID 24384; CVE: CVE-2007-0936
(Symantec Urgency Rating: 7.1; MS Rating: Important)
Visio is prone to a remote code-execution vulnerability when parsing packed objects within .VSS, .VSD, or .VST files.
• Microsoft Visio Version Number Remote Code Execution Vulnerability
BID 24349; CVE: CVE-2007-0934
(Symantec Urgency Rating: 7.1; MS Rating Important :)
This issue occurs when the application processes the 'version number' field of .VSS, .VSS, and .VST files.
MS07-032;KB931213
Vulnerability in Windows Vista Could Allow Information Disclosure
• Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability
BID
24411; CVE: CVE-2007-2229
(Symantec Urgency Rating: 5.2; MS Rating: Moderate)
Microsoft Windows Vista is prone to a local information-disclosurevulnerability. This issue occurs because the application permitsnon-privileged users to access local user information stores containedwithin the registry and local file system.