Severity: High
14 August, 2007
Summary:
Today, Microsoft released two security bulletins describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.
Exposure:
In two security bulletins (MS07-045 and MS07-050) released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. Microsoft rates all four of the vulnerabilities “Critical” and each vulnerability affects all current versions of Windows, including Vista, to some extent.
Severity: High
14 August, 2007
Summary:
Today, Microsoft released two security bulletins describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.
Exposure:
In two security bulletins (MS07-045 and MS07-050) released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. Microsoft rates all four of the vulnerabilities “Critical” and each vulnerability affects all current versions of Windows, including Vista, to some extent.
The vulnerabilities fall into two general categories:
- Problems with interpreting .css files
- Improper input validation on several ActiveX controls
All of the vulnerabilities share the same repercussions. If an attacker can trick one of your users into visiting a specially crafted web page, he can exploit any of these flaws to execute code on your user’s computer, with your user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of their machines. This alone should convince you to install the IE patchs immediately. However, if you’re curious about what each flaw is, we summarize them briefly below:
From MS07-045
- CSS Memory Corruption Vulnerability. Internet Explorer doesn’t properly handle specially malformed .CSS files. Under certain circumstances (which Microsoft doesn’t detail), if an attacker can entice a user to visit a malicious web site, the attacker can use this vulnerability to execute code as the user who is logged in. If the user has administrator priviledges on his or her computer, the attacker will too.
- Improper Input Validation in tblinf32.dll (also called vstlbinf.dll). IE doesn’t properly validate input passed to the .DLL. In fact, Microsoft goes so far as to say that the .DLL was never intended to be supported by Internet Explorer at all. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker.
- Improper Input Validation in pdwizard.ocx. IE doesn’t properly validate input passed to the ActiveX control associated with Visual Basic, named pdwizard.ocx. In this case, an attacker can manipulate the memory corruption resulting from an exploit to execute his own code on the system. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker.
From MS07-050
- Improper Input Validation in vgx.dll. IE doesn’t properly validate input passed to vgx.dll, an ActiveX control responsible for interpreting web pages with Vector Markup Language (VML) encoding. In this case, an attacker can manipulate the resulting memory corruption to execute his own code on the system. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker. If you’d like to see a demonstration of a similar type of attack that also targets VML, check out the WatchGuard Wire video blog from last September.
Solution Path:
These patches fix serious issues. You should download, test, and deploy both of the appropriate IE patches as soon as possible.
MS07-045
- Internet Explorer 5.01
- Internet Explorer 6.0
-
- Microsoft no longer supports 98, ME, or XP SP1
- For Windows 2000
- For Windows XP SP2
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
-
- Internet Explorer 7.0
MS07-050
- Internet Explorer 5.01
- Internet Explorer 6.0
-
- Microsoft no longer supports 98, ME, or XP SP1
- For Windows 2000
- For Windows XP SP2
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
-
- Internet Explorer 7.0
For All WatchGuard Users:
These attacks travel as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches to fix these vulnerabilities.
References:
- MS Security Bulletin MS07-045
- MS Security Bulletin MS07-050
- WatchGuard Wire video blog on VML attacks