- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Windows URI Handling Could Allow Remote Code Execution
(MS07-061)
------------------------------------------------------------------------
SUMMARY
A remote code execution vulnerability exists in the way that the Windows
shell handles specially crafted URIs that are passed to it. An attacker
could exploit this vulnerability by including a specially crafted URI in
an application or attachment, which could potentially allow remote code
execution.
DETAILS
Affected Software:
* Windows XP Service Pack 2
* Windows XP Professional x64 Edition
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition
* Windows 2003 Server x64 Edition Service Pack 2
* Windows Server 2003 with SP1 for Itanium-based Systems
* Windows Server 2003 with SP2 for Itanium based Systems
Non-Affected Software:
* Microsoft Windows 2000 Service Pack 4
* Windows Vista
* Windows Vista x64
Mitigating Factors for Windows URI Handling Vulnerability:
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:
* Windows 2000 Service Pack 4 is not affected
* Windows Vista is not affected
* Windows Vista x64 Edition is not affected
* Microsoft has not identified a way to exploit this vulnerability on any
Windows operating system that is running Internet Explorer 6
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
* In an e-mail based attack of this exploit, customers who read e-mail in
plain text are at less risk from this vulnerability. To be more at risk
from this vulnerability, users would have to either click on a link that
would take them to a malicious Web site or open an attachment.
FAQ for Windows URI Handling Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the logged on user.
If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
What causes the vulnerability?
The Windows shell insufficiently handles invalid URIs.
What is a URI?
A Uniform Resource Identifier (URI) is a string of characters used to act
on or identify resources from the Internet or over a network. A URL is a
typical example of a URI that references a resource such as a Web site.
For more information about URIs, see
<http://www.ietf.org/rfc/rfc2396.txt> RFC 2396.
What might an attacker use the vulnerability to do?
An attacker who has convinced a user to open an attachment in mail or to
follow a link to an attacker's Web site could run arbitrary code as the
logged on user. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.
How could an attacker exploit the vulnerability?
An attacker would have to create a specially crafted URI and provide the
URI as input to an application on an affected system, which would then
attempt to access the resource referred to it by the URI. Applications
that take URIs as input from untrusted sources such as attachments in
e-mail, documents, or data from the network assuming it will be safe, are
exposed to this vulnerability. Under specific circumstances, processing
specially crafted URI input could allow arbitrary code to be executed. In
order to exploit the vulnerability, an attacker would have to convince the
user to launch the attachment or application, or visit the Web site. An
attacker could host a specially crafted Web site that is designed to
exploit this vulnerability through Internet Explorer and then convince a
user to view the Web site. This vulnerability might also be exploited by
compromised Web sites or Web sites that accept or host user-provided
content or advertisements. These Web sites could contain specially crafted
URIs that could exploit this vulnerability. It could also be possible to
display specially crafted URIs by using banner advertisements or by using
other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
Systems running supported editions of Windows XP and Windows Server 2003
with Internet Explorer 7 installed are vulnerable.
What does the update do?
The update removes the vulnerability by changing the way that the Windows
shell handles invalid URIs.
I do not have Windows Internet Explorer 7 installed. Why am I receiving
this update?
The vulnerability exists in a Windows file, Shell32.dll, included in
supported editions of Windows XP and Windows Server 2003. Microsoft has
not identified any way to exploit this vulnerability on systems using
Internet Explorer 6, which is the browser that is included with these
operating systems. As a defense-in-depth measure, this security update is
made available to all customers using supported editions of Windows XP and
Windows Server 2003, regardless of which version of Internet Explorer is
installed.
I am using Windows Vista, am I at risk from this vulnerability?
No. Windows Vista is not affected by this vulnerability. Windows Internet
Explorer 7 is included with Windows Vista but the Windows shell in Windows
Vista is not affected by this vulnerability.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability had been publicly disclosed when this security
bulletin was originally issued. It has been assigned the Common
Vulnerability and Exposure number CVE-2007-3896. This vulnerability was
first described in
<http://www.microsoft.com/technet/security/advisory/943521.mspx> Microsoft
Security Advisory 943521.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received
information that this vulnerability was being exploited.
Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the vulnerability that is currently
being exploited. The vulnerability that has been addressed has been
assigned the Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3896>
CVE-2007-3896.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3896>
CVE-2007-3896
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security Bulletin MS07-061.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx?pubDate=2007-11-13> http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment