INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-onuser. |
| PLATFORM: | Windows 2000 Service Pack 4 Microsoft XML Core Services 3.0, 4.0, 6.0 Windows XP Service Pack 2 Professional x64 Edition Servcie pack 2 Windows Server 2003 Service Pack 1, 2 x64 Edition x64 Edition Service Pack 2 w/SP1, 2 for Itanium-based Systems Windows Vista x64 Edition Office Software Microsoft Office 2003 Service Pack 2 2007 Microsoft Office System Microsoft Office SharePoint Server Microsoft Office Groove Server 2007 |
| DAMAGE: | Could allow remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. If the user is logged on with administrative user rights, an attacker could take complete control of the affected system. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/r-316.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS07-042.mspx |
| CVE: | CVE-2007-2223 |
REVISION HISTORY:
08/16/2007 - revised R-316 to reflect changes Microsoft has made in MS07-042
where they corredted file manifest information for Microsoft XML
Core Services 4.0.
09/28/2007 - revised R-316 to reflect changes Microsoft has made in MS07-042 where
they added Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats and Microsoft Expression Web as affected
products. The bulletin has also been updated to inform customers that
a potential reliability issue exists in applications that have installed
Microsoft XML Core Services 4.0 on Windows Vista.
01/10/2008 - revised R-316 to reflect changes Microsoft has made in MS07-042 where
they added Microsoft Word Viewer 2003 as an affected product. Also an
Update FAQ clarifying the kill bit for Microsoft XML Parser 2.6 and its
applicability to this security update.
06/27/2008 - revised R-316 to reflect changes Microsoft has made in MS07-042 where
they added added Windows XP Service Pack 3, Windows Vista Service Pack
1, Windows Vista x64 Edition Service Pack 1, Windows Server 2008 for
32-bit Systems, Windows Server 2008 for x64-based Systems, and Windows
Server 2008 for Itanium-based Systems as affected software. This is a
detection update only. There are no changes to the binaries.
[***** Start Microsoft Security Bulletin (MS07-042) *****]
Version: 4.0
This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This is a critical security update for all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and 2007 Microsoft Office System. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by modifying the way that the Microsoft XML Core Services performs parameter validation. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
The software listed here has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Software | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced By This Update |
| Windows 2000 | ||||
Windows 2000 Service Pack 4 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Critical |
|
Windows 2000 Service Pack 4 |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Critical |
|
Windows 2000 Service Pack 4 |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Critical |
|
| Windows XP | ||||
Windows XP Service Pack 2 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Critical |
|
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Critical |
|
Windows XP Service Pack 2 |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Critical |
|
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Critical |
|
Windows XP Service Pack 2 |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Critical |
|
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Critical |
|
| Windows Server 2003 | ||||
Windows Server 2003 Service Pack 1 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 Service Pack 2 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
None |
Windows Server 2003 x64 Edition |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 x64 Edition Service Pack 2 |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
None |
Windows Server 2003 with SP1 for Itanium-based Systems |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 with SP2 for Itanium-based Systems |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Moderate |
None |
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Moderate |
|
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Moderate |
|
| Windows Vista | ||||
Windows Vista |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Critical |
|
Windows Vista x64 Edition |
Microsoft XML Core Services 3.0 |
Remote Code Execution |
Critical |
|
Windows Vista |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Critical |
|
Windows Vista x64 Edition |
Microsoft XML Core Services 4.0 |
Remote Code Execution |
Critical |
|
Windows Vista |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Critical |
|
Windows Vista x64 Edition |
Microsoft XML Core Services 6.0 |
Remote Code Execution |
Critical |
|
| Office Software | ||||
Microsoft Office 2003 Service Pack 2 |
Microsoft XML Core Services 5.0 |
Remote Code Execution |
Critical |
|
2007 Microsoft Office System |
Microsoft XML Core Services 5.0 |
Remote Code Execution |
Critical |
None |
Microsoft Office SharePoint Server |
Microsoft XML Core Services 5.0 |
Remote Code Execution |
Critical |
None |
Microsoft Office Groove Server 2007 |
Microsoft XML Core Services 5.0 |
Remote Code Execution |
Critical |
None |
 |
Severity Ratings and Vulnerability Identifiers |
|
|
Microsoft XML Core Services Vulnerability - CVE-2007-2223 |
|
|
Security Update Deployment |
* Windows 2000 (all editions)
* Windows XP (all editions)
* Windows Server 2003 (all editions)
* Windows Vista (all editions)
* Office 2003 Service Pack 2
* 2007 Microsoft Office System
* Microsoft Office SharePoint Server and Microsoft Office Groove Server 2007
* Microsoft XML Core Services 4 When Installed on Windows (all versions)
* Microsoft XML Core Services 6 When Installed on Windows (all versions)
Microsoft thanks the following for working with us to help protect customers:
| • | An anonymous researcher working with the VeriSign iDefense VCP for reporting the Microsoft XML Core Services Vulnerability (CVE-2007-2223). |
| • | An anonymous researcher working with the Zero Day Initiative for reporting the Microsoft XML Core Services Vulnerability (CVE-2007-2223). |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (August 14, 2007): Bulletin published. |
| • | V1.1 (August 15, 2007): Bulletin updated: Corrected file manifest information for Microsoft XML Core Services 4.0. |
| • | V2.0 (September 27, 2007): Bulletin updated: Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Expression Web as affected products. The Bulletin has also been updated to inform customers that a potential reliability issue exists in applications that have installed Microsoft XML Core Services 4.0 on Windows Vista, which can be addressed by applying the download available in Microsoft Knowledge Base Article 941833. |
| • | V3.0 (January 9, 2008): Bulletin updated: Added Microsoft Word Viewer 2003 as an affected product. Also added an Update FAQ clarifying the kill bit for Microsoft XML Parser 2.6 and its applicability to this security update. |
| • | V4.0 (June 24, 2008): Bulletin updated: Added Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista x64 Edition Service Pack 1, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems as affected software. This is a detection update only. There were no changes to the binaries. |
[***** End Microsoft Security Bulletin (MS07-042) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/