Severity: High
13 February, 2006
Summary:
Today, Microsoft released two security bulletins describing three vulnerabilities which are exploited via Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page, an attacker could leverage flaws in libraries or controls accessible through IE to execute code on your user’s computer, with your user’s privileges. In many cases, the attacker could gain complete control of the victim’s computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.
Exposure:
In security bulletins (MS07-009, MS07-016) released today as part of their monthly patch update, Microsoft describes three new vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. All three vulnerabilities are rated critical. IE 7 on Vista is not affected. The vulnerabilities break down as follows:
1. IE improperly starts COM objects
The vulnerability here lies in the way IE starts (or, in geek speak, instantiates) certain Component Object Model (COM) objects. Not all COM objects were meant to be started by IE, and Microsoft’s bulletin lists seven such COM objects. A knowledgeable attacker can build a Web page which forces IE to start one of these seven and then use it to corrupt the system’s memory (similar to a buffer overflow attack), gaining the same level of authority on the system that the logged on user has. If that user has administrator rights, then so does the attacker.
Severity: High
13 February, 2006
Summary:
Today, Microsoft released two security bulletins describing three vulnerabilities which are exploited via Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page, an attacker could leverage flaws in libraries or controls accessible through IE to execute code on your user’s computer, with your user’s privileges. In many cases, the attacker could gain complete control of the victim’s computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.
Exposure:
In security bulletins (MS07-009, MS07-016) released today as part of their monthly patch update, Microsoft describes three new vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. All three vulnerabilities are rated critical. IE 7 on Vista is not affected. The vulnerabilities break down as follows:
1. IE improperly starts COM objects
The vulnerability here lies in the way IE starts (or, in geek speak, instantiates) certain Component Object Model (COM) objects. Not all COM objects were meant to be started by IE, and Microsoft’s bulletin lists seven such COM objects. A knowledgeable attacker can build a Web page which forces IE to start one of these seven and then use it to corrupt the system’s memory (similar to a buffer overflow attack), gaining the same level of authority on the system that the logged on user has. If that user has administrator rights, then so does the attacker.
2. IE improperly responds to FTP server commands
In addition to being a Web browser, IE is also an FTP client. The FTP client is vulnerable to an unspecified memory corruption vulnerability when transferring data from a malicious FTP server. When exploiting this vulnerability, the attacker gains the same level of control over the system as the logged on user has. If that user has administrator rights, then so does the attacker.
3. An ActiveX control for database connectivity can be abused
IE can be used to access databases. To do so, it frequently utilizes components from Microsoft’s Data Access Components framework (MDAC). One of the ActiveX controls in the framework (ADODB.Connection) has a memory corruption vulnerability. The attacker exploits the vulnerability by luring a victim to a specially crafted Web page which instructs the browser to start the ADODB.Connection ActiveX applet. Attackers exploiting this vulnerability gain the same level of control over their victim’s computer that the victim has. If the victim is an administrator, so is the attacker. Because of the nature of this vulnerability, Microsoft chose to address it in a separate patch, linked below.
In addition to fixing the newly announced flaws, the patch announced with MS07-016 cumulatively fixes all previously known IE security issues and offers some security enhancements as well as minor changes in functionality.
Solution Path:
Microsoft offers many workarounds for the issues covered by these bulletins. Most of the workarounds involve various ways of keeping IE from accessing the vulnerable components. In some cases, their advice leads to a reduction in functionality and may not be a realistic option for you.
In light of the seriousness of the issues covered in this alert, we recommend that you download, test, and deploy the appropriate IE patches as soon as possible. Please note that there are two patches, and you want both of them.
Patches associated with MS07-016 (IE cumulative patch)
- Internet Explorer 5.01
- Internet Explorer 6.0
-
- Microsoft no longer supports 98, ME, or XP SP1
- For Windows 2000
- For Windows XP SP2
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
-
- Internet Explorer 7.0
Patches associated with MS07-009 (MDAC update)
- Windows 2000 SP4
- Windows XP SP2
- Windows Server 2003
- Windows Server 2003 Itanium
Status: Microsoft has released patches to fix these vulnerabilities.