Internet threat level: 1
Home→Descriptions→SA23655
Microsoft XML Core Services Multiple Vulnerabilities
| Secunia ID | |
| CVE-ID | |
| Release Date |
09 Jan 2007 |
| Last Change |
13 Jul 2011 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Microsoft Expression Web 1.x |
| Where | |
| Impact |
DoS (Denial of Service)This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system. System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Cross-Site ScriptingCross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system. Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery". Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks. |
| Description |
Multiple vulnerabilities have been reported in Microsoft XML Core Services, which can be exploited by malicious people to gain knowledge of sensitive information or potentially compromise a user's system. 1) A race condition when parsing XML content can be exploited to corrupt memory by reloading specially crafted XML files with nested tags in multiple iframes. Successful exploitation may allow execution of arbitrary code by e.g. tricking a user into visiting a malicious website. NOTE: This vulnerability only affects systems with Microsoft XML Core Services 3.0 installed. 2) An error in the handling of error checks for external document type definitions (DTDs) can be exploited to violate the cross-domain policy and read contents from another domain when a user e.g. visits a malicious website or views a specially crafted HTML e-mail. NOTE: This vulnerability only affects systems with Microsoft XML Core Services 3.0 or Microsoft XML Core Services 4.0 installed. 3) An error in the handling of transfer-encoding headers can be exploited to violate the cross-domain policy and read contents from another domain when a user e.g. visits a malicious website or views a specially crafted HTML e-mail. |
| Solution |
Apply patches. -- Windows 2000 -- Windows 2000 SP4 and Microsoft XML Core Services 3.0: Windows 2000 SP4 and Microsoft XML Core Services 4.0: Windows 2000 SP4 and Microsoft XML Core Services 6.0: -- Windows XP -- Windows XP SP2 and Microsoft XML Core Services 3.0: Windows XP SP3 and Microsoft XML Core Services 3.0: Windows XP SP2/SP3 and Microsoft XML Core Services 4.0: Windows XP SP2 and Microsoft XML Core Services 6.0: Windows XP SP3 and Microsoft XML Core Services 6.0: Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0: Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0: Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0: -- Windows Server 2003 -- Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 3.0: Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 4.0: Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 6.0: Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0: Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0: Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0: Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 3.0: Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 4.0: Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 6.0: -- Windows Vista -- Windows Vista and Microsoft XML Core Services 3.0: Windows Vista SP1 and Microsoft XML Core Services 3.0: Windows Vista (optionally with SP1/SP2) and Microsoft XML Core Services 4.0: Windows Vista and Microsoft XML Core Services 6.0: Windows Vista SP1 and Microsoft XML Core Services 6.0: Windows Vista x64 Edition and Microsoft XML Core Services 3.0: Windows Vista x64 Edition SP1 and Microsoft XML Core Services 3.0: Windows Vista x64 Edition (optionally with SP1/SP2) and Microsoft XML Core Services 4.0: Windows Vista x64 Edition and Microsoft XML Core Services 6.0: Windows Vista x64 Edition SP1 and Microsoft XML Core Services 6.0: -- Windows Server 2008 -- Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 3.0: Windows Server 2008 for 32-bit Systems (optionally with SP2) and Microsoft XML Core Services 4.0: Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 6.0: Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 3.0: Windows Server 2008 for x64-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0: Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 6.0: Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 3.0: Windows Server 2008 for Itanium-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0: Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 6.0: -- Windows 7 -- Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems SP1 and Microsoft XML Core Services 4.0: Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1 and Microsoft XML Core Services 4.0: -- Windows Server 2008 R2 -- Windows Server 2008 R2 for x64-based Systems (optionally SP1) and Microsoft XML Core Services 4.0: Windows Server 2008 R2 for Itanium-based Systems (optionally SP1) and Microsoft XML Core Services 4.0: -- Microsoft Office -- Office 2003 SP3 and Microsoft XML Core Services 5.0: Microsoft Word Viewer 2003 SP3 and Microsoft XML Core Services 5.0: 2007 Microsoft Office System and Microsoft XML Core Services 5.0: 2007 Microsoft Office System SP1 and Microsoft XML Core Services 5.0: Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft XML Core Services 5.0: Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and Microsoft XML Core Services 5.0: Microsoft Expression Web and Microsoft XML Core Services 5.0: Microsoft Expression Web 2 and Microsoft XML Core Services 5.0: Office SharePoint Server 2007 (32-bit editions) and Microsoft XML Core Services 5.0: Office SharePoint Server 2007 SP1 (32-bit editions) and Microsoft XML Core Services 5.0: Office SharePoint Server 2007 (optionally with SP1) (64-bit editions) and Microsoft XML Core Services 5.0: Office Groove Server 2007 and Microsoft XML Core Services 5.0: |
| Reported by |
1) Michal Zalewski |
| Original Advisory |
MS08-069 (KB955218): Michal Zalewski: |
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.