SECUNIA ADVISORY ID: SA22333
VERIFY ADVISORY: http://secunia.com/advisories/22333/
CRITICAL: Highly critical
IMPACT: Exposure of sensitive information, System access
WHERE: >From remote
SOFTWARE:
Microsoft XML Parser 2.x - http://secunia.com/product/12261/
Microsoft XML Core Services 3.x - http://secunia.com/product/12262/
Microsoft Core XML Services (MSXML) 6.x - http://secunia.com/product/6473/
Microsoft Core XML Services (MSXML) 4.x - http://secunia.com/product/6472/
DESCRIPTION: Two vulnerabilities have been reported in Microsoft XML Core Services, which can be exploited by malicious people to disclose certain information and compromise a vulnerable system.
1) An unspecified error exists in the XMLHTTP ActiveX control when interpreting a HTTP server-side redirect. This can be exploited to disclose certain information e.g. via a specially crafted web page.
2) A boundary error exists in the XSLT processing in MSXML. This can be exploited to cause a buffer overflow via a specially crafted web page and allows execution of arbitrary code.
SOLUTION: Apply patches.
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=f9d16d74-1785-4c33-b1fc-df5258dd1089
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8a455c3b-213c-4395-87e9-9895f2b9a6ed
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8a455c3b-213c-4395-87e9-9895f2b9a6ed
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5593333f-bcd5-4750-a23d-4f7fccda6493
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=09b77b2a-a4fd-46e2-af15-2385790c9ee7
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=09b77b2a-a4fd-46e2-af15-2385790c9ee7
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?FamilyId=31c88513-29df-475b-b9ae-a2f5c1f32a8c
Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6183a9d2-89f5-4b25-be8b-090c6e050740
Microsoft Office 2003 Service Pack 1 or Service Pack 2 with Microsoft XML Core Services 5.0 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8A37C111-D8E9-4C2E-9674-169B3331491C
Microsoft XML Core Services 4.0 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5
Microsoft XML Core Services 4.0 on Microsoft Windows XP SP1 and Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5
Microsoft XML Core Services 4.0 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5
Microsoft XML Core Services 6.0 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c
Microsoft XML Core Services 6.0 on Microsoft Windows XP SP1 and Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c
Microsoft XML Core Services 6.0 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: MS06-061 (KB924191): http://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx
Microsoft XML Core Services Information Disclosure and Code ExecutionPosted on Wednesday, October 11, 2006 @ 02:29:11 UTC in Security |
Related
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
