- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerabilities in Windows Gadgets Allows Code Execution (MS07-048)
------------------------------------------------------------------------
SUMMARY
Several vulnerabilities have been discovered in Microsoft Windows Gadgets.
These vulnerabilities could allow an anonymous remote attacker to run code
with the privileges of the logged on user. If a user subscribed to a
malicious RSS feed in the Feed Headlines Gadget or added a malicious
contacts file in the Contacts Gadget or a user clicked on a malicious link
in the Weather Gadget an attacker could potentially run code on the
system. In all attack vectors, users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who
operate with administrative user rights.
DETAILS
Affected and Non-Affected Software
The software listed here has been tested to determine which versions or
editions are affected. Other versions or editions are either past their
support life cycle or are not affected. To determine the support life
cycle for your software version or edition, visit Microsoft Support
Lifecycle.
Affected Software
Operating System - Maximum Security Impact - Aggregate Severity Rating -
Bulletins Replaced by This Update
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71-4529-b4d3-ac57dab59e01> Windows Vista - Remote Code Execution - Important - None
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=24443f59-b908-480b-9b72-7094d4b5e128> Windows Vista x64 Edition - Remote Code Execution - Important - None
Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution
A remote code execution vulnerability exists in Windows Vista Feed
Headlines Gadgets that could allow a remote anonymous attacker to run code
with the privileges of the logged on user.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3033>
CVE-2007-3033
Windows Vista Contacts Gadget Could Allow Code Execution
A code execution vulnerability exists in Windows Vista Contacts Gadget
that could allow an attacker to run code with the privileges of the logged
on user.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3032>
CVE-2007-3032
Windows Vista Weather Gadget Could Allow Remote Code Execution
A remote code execution vulnerability exists in Windows Vista Weather
Gadgets that could allow an attacker to run code with the privileges of
the logged on user.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3891>
CVE-2007-3891
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@microsoft.com>
Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment