Множественные уязвимости в Microsoft XML Core Services

Дата публикации:	09.01.2007
Дата изменения:	11.08.2010
Всего просмотров:	6334
Опасность:	Высокая
Наличие исправления:	Да
Количество уязвимостей:	3
CVSSv2 рейтинг:	10 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:O/RC:C) 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C) 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C)
CVE ID:	CVE-2007-0099 CVE-2008-4029 CVE-2008-4033
Вектор эксплуатации:	Удаленная
Воздействие:	Раскрытие важных данных Компрометация системы
CWE ID:	Нет данных
Наличие эксплоита:	Нет данных
Уязвимые продукты:	Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Professional Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2007 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office SharePoint Server 2007 Microsoft Word Viewer 2003 Microsoft Office Groove 2007 Microsoft Expression Web 1.x Microsoft Expression Web 2.x Microsoft XML Core Services (MSXML) 3.x Microsoft XML Core Services (MSXML) 4.x Microsoft XML Core Services (MSXML) 5.x Microsoft XML Core Services (MSXML) 6.x Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Storage Server 2003 Microsoft Windows XP Home Edition Microsoft Windows XP Professional Microsoft Windows Vista Microsoft Windows Server 2008
	Уязвимые версии: Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows 2003 Microsoft Windows Vista Microsoft Windows 2008 Microsoft XML Core Services (MSXML) 3.0 Microsoft XML Core Services (MSXML) 4.0 Microsoft XML Core Services (MSXML) 5.0 Microsoft XML Core Services (MSXML) 6.0 Microsoft Office 2003 Microsoft Office 2007 Microsoft Expression Web Microsoft Expression Web 2 Описание: Обнаруженные уязвимости позволяют удаленному пользователю получить доступ к важным данным и скомпрометировать целевую систему. 1. Уязвимость существует из-за ошибки состояния операции при обработке XML данных. Удаленный пользователь может с помощью специально сформированного XML файла, содержащего разветвленные теги в различных iframe, вызвать повреждение памяти и выполнить произвольный код на целевой системе. Уязвимость существует в Microsoft XML Core Services 3.0 на Windows 2000, XP, 2003, Vista и 2008. 2. Уязвимость существует из-за ошибки при обработке проверки ошибок для внешних определений типов документов (DTD). Удаленный пользователь может с помощью специально сформированного Web сайта или email сообщения обойти междоменные политики и получить доступ к данным из другого домена. Уязвимость существует в Microsoft XML Core Services 3.0 и Microsoft XML Core Services 4.0 на Windows 2000, XP, 2003, Vista и 2008. 3. Уязвимость существует из-за ошибки при обработке заголовков “transfer-encoding”. Удаленный пользователь может с помощью специально сформированного Web сайта или email сообщения обойти междоменные политики и получить доступ к данным из другого домена. URL производителя: www.microsoft.com Решение: Установите исправление с сайта производителя.
	-- Windows 2000 -- Windows 2000 SP4 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=559cd4b6-24b7-4e60-8749-37d9b833d3eb Windows 2000 SP4 and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows 2000 SP4 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 -- Windows XP -- Windows XP SP2 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=6ed1a087-97e2-4283-9b53-b7b046654d08 Windows XP SP3 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=6ed1a087-97e2-4283-9b53-b7b046654d08 Windows XP SP2/SP3 and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows XP SP2 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 Windows XP SP3 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=7493fa37-2cbf-4d66-8690-d50d63da4096 Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=1b79f220-ebfc-49c1-963b-58bbda21b6e7 Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 -- Windows Server 2003 -- Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=0a0f8385-e908-4b5f-b9bf-80b7dabfcafd Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=347c8c83-4269-4a0e-af6f-4be2e824d22b Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=3a65e1cd-eb4e-44b6-8868-a5a84be2cb32 Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3 -- Windows Vista -- Windows Vista and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=affbc957-1867-4bbe-924d-6f0696ae0895 Windows Vista SP1 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=affbc957-1867-4bbe-924d-6f0696ae0895 Windows Vista (optionally with SP1/SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Vista and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=cb6c4315-8c6d-43af-978b-b190b1a1577a Windows Vista SP1 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=cb6c4315-8c6d-43af-978b-b190b1a1577a Windows Vista x64 Edition and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=b01a5f31-8c57-4c5c-909e-b37caf0439b0 Windows Vista x64 Edition SP1 and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=b01a5f31-8c57-4c5c-909e-b37caf0439b0 Windows Vista x64 Edition (optionally with SP1/SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Vista x64 Edition and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=39443046-2093-4c87-ac7b-679deab96414 Windows Vista x64 Edition SP1 and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=39443046-2093-4c87-ac7b-679deab96414 -- Windows Server 2008 -- Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=90a04164-4d02-4ce9-b3d8-bddb1ec27618 Windows Server 2008 for 32-bit Systems (optionally with SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=dea9f227-967f-47c7-bb2a-ed68f13645d9 Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=b7bfe3f4-835f-402c-95b5-6d49b6935308 Windows Server 2008 for x64-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=f16e2a5f-37fd-4ee1-aef0-597214323dc4 Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 3.0: http://www.microsoft.com/downloads/de...=4e0d1efe-70ac-459b-b330-c0149b74f520 Windows Server 2008 for Itanium-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0: http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14 Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 6.0: http://www.microsoft.com/downloads/de...=d4ae74e2-1b09-4a99-8cf5-8a8ca8ac6f7f -- Microsoft Office -- Office 2003 SP3 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=7ad891a8-c3bb-4479-8282-13d629c410e3 Microsoft Word Viewer 2003 SP3 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=7ad891a8-c3bb-4479-8282-13d629c410e3 2007 Microsoft Office System and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 2007 Microsoft Office System SP1 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 Microsoft Expression Web and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 Microsoft Expression Web 2 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245 Office SharePoint Server 2007 (32-bit editions) and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=a208f2b5-2b0d-43bb-8f8a-58d4a3fc64f5 Office SharePoint Server 2007 SP1 (32-bit editions) and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=a208f2b5-2b0d-43bb-8f8a-58d4a3fc64f5 Office SharePoint Server 2007 (optionally with SP1) (64-bit editions) and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=0735f4af-e32b-4970-bed7-b2b9323cf54c Office Groove Server 2007 and Microsoft XML Core Services 5.0: http://www.microsoft.com/downloads/de...=0735f4af-e32b-4970-bed7-b2b9323cf54c
Ссылки:	Concurrency strikes MSIE (potentially exploitable msxml3 flaws) (MS08-069) Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) Microsoft XML Core Services DTD Cross-Domain Scripting PoC MS08-069
	http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051616.html
Журнал изменений:	a:2:{s:4:"TEXT";s:386:" 12.11.2008 Изменено описание уязвимости, добавлены уязвимости #2-3. Изменены секции «Программа» и «Решение». Повышен рейтинг опасности. 23.11.2008 Добавлен PoC код к уязвимости #2. 30.04.2009 Изменена секция «Решение». Добавлены данные о дополнительном исправлении для Microsoft XML Core Services 4.0 для Windows Vista SP2 и Windows 2008 Server SP2";s:4:"TYPE";s:4:"html";}

Множественные уязвимости в Microsoft XML Core Services

Подпишитесь на email рассылку