Уязвимости Множественные уязвимости в Microsoft XML Core Services
| Дата публикации: | 09.01.2007 |
| Дата изменения: | 11.08.2010 |
| Всего просмотров: | 4104 |
| Опасность: | Высокая |
| Наличие исправления: | Да |
| Количество уязвимостей: | 3 |
| CVSSv2 рейтинг: |
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:O/RC:C) = Base:10/Temporal:7.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C) = Base:6.4/Temporal:5 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C) = Base:6.4/Temporal:4.7 |
| CVE ID: |
CVE-2007-0099 CVE-2008-4029 CVE-2008-4033 |
| Вектор эксплуатации: | Удаленная |
| Воздействие: |
Раскрытие важных данных Компрометация системы |
| CWE ID: | Нет данных |
| Наличие эксплоита: | |
| Уязвимые продукты: |
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Professional Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2007 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office SharePoint Server 2007 Microsoft Word Viewer 2003 Microsoft Office Groove 2007 Microsoft Expression Web 1.x Microsoft Expression Web 2.x Microsoft XML Core Services (MSXML) 3.x Microsoft XML Core Services (MSXML) 4.x Microsoft XML Core Services (MSXML) 5.x Microsoft XML Core Services (MSXML) 6.x Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Storage Server 2003 Microsoft Windows XP Home Edition Microsoft Windows XP Professional Microsoft Windows Vista Microsoft Windows Server 2008 |
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 2003
Microsoft Windows Vista
Microsoft Windows 2008
Microsoft XML Core Services (MSXML) 3.0
Microsoft XML Core Services (MSXML) 4.0
Microsoft XML Core Services (MSXML) 5.0
Microsoft XML Core Services (MSXML) 6.0
Microsoft Office 2003
Microsoft Office 2007
Microsoft Expression Web
Microsoft Expression Web 2
Описание:
Обнаруженные уязвимости позволяют удаленному пользователю получить доступ к важным данным и скомпрометировать целевую систему.
1. Уязвимость существует из-за ошибки состояния операции при обработке XML данных. Удаленный пользователь может с помощью специально сформированного XML файла, содержащего разветвленные теги в различных iframe, вызвать повреждение памяти и выполнить произвольный код на целевой системе. Уязвимость существует в Microsoft XML Core Services 3.0 на Windows 2000, XP, 2003, Vista и 2008.
2. Уязвимость существует из-за ошибки при обработке проверки ошибок для внешних определений типов документов (DTD). Удаленный пользователь может с помощью специально сформированного Web сайта или email сообщения обойти междоменные политики и получить доступ к данным из другого домена. Уязвимость существует в Microsoft XML Core Services 3.0 и Microsoft XML Core Services 4.0 на Windows 2000, XP, 2003, Vista и 2008.
3. Уязвимость существует из-за ошибки при обработке заголовков “transfer-encoding”. Удаленный пользователь может с помощью специально сформированного Web сайта или email сообщения обойти междоменные политики и получить доступ к данным из другого домена.
URL производителя: www.microsoft.com
Решение: Установите исправление с сайта производителя.
-- Windows 2000 --
Windows 2000 SP4 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=559cd4b6-24b7-4e60-8749-37d9b833d3eb
Windows 2000 SP4 and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows 2000 SP4 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
-- Windows XP --
Windows XP SP2 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=6ed1a087-97e2-4283-9b53-b7b046654d08
Windows XP SP3 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=6ed1a087-97e2-4283-9b53-b7b046654d08
Windows XP SP2/SP3 and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows XP SP2 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
Windows XP SP3 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=7493fa37-2cbf-4d66-8690-d50d63da4096
Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=1b79f220-ebfc-49c1-963b-58bbda21b6e7
Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows XP Professional x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
-- Windows Server 2003 --
Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=0a0f8385-e908-4b5f-b9bf-80b7dabfcafd
Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2003 SP1/SP2 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=347c8c83-4269-4a0e-af6f-4be2e824d22b
Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2003 x64 Edition (optionally with SP2) and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=3a65e1cd-eb4e-44b6-8868-a5a84be2cb32
Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2003 with SP1/SP2 for Itanium-based Systems and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=59914795-60c7-4ebe-828d-f28cb457e6e3
-- Windows Vista --
Windows Vista and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=affbc957-1867-4bbe-924d-6f0696ae0895
Windows Vista SP1 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=affbc957-1867-4bbe-924d-6f0696ae0895
Windows Vista (optionally with SP1/SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Vista and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=cb6c4315-8c6d-43af-978b-b190b1a1577a
Windows Vista SP1 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=cb6c4315-8c6d-43af-978b-b190b1a1577a
Windows Vista x64 Edition and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=b01a5f31-8c57-4c5c-909e-b37caf0439b0
Windows Vista x64 Edition SP1 and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=b01a5f31-8c57-4c5c-909e-b37caf0439b0
Windows Vista x64 Edition (optionally with SP1/SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Vista x64 Edition and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=39443046-2093-4c87-ac7b-679deab96414
Windows Vista x64 Edition SP1 and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=39443046-2093-4c87-ac7b-679deab96414
-- Windows Server 2008 --
Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=90a04164-4d02-4ce9-b3d8-bddb1ec27618
Windows Server 2008 for 32-bit Systems (optionally with SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2008 for 32-bit Systems and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=dea9f227-967f-47c7-bb2a-ed68f13645d9
Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=b7bfe3f4-835f-402c-95b5-6d49b6935308
Windows Server 2008 for x64-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2008 for x64-based Systems and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=f16e2a5f-37fd-4ee1-aef0-597214323dc4
Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 3.0:
http://www.microsoft.com/downloads/de...=4e0d1efe-70ac-459b-b330-c0149b74f520
Windows Server 2008 for Itanium-based Systems (optionally with SP2) and Microsoft XML Core Services 4.0:
http://www.microsoft.com/downloads/de...=96a4413c-5261-4f69-83d0-932c430abd14
Windows Server 2008 for Itanium-based Systems and Microsoft XML Core Services 6.0:
http://www.microsoft.com/downloads/de...=d4ae74e2-1b09-4a99-8cf5-8a8ca8ac6f7f
-- Microsoft Office --
Office 2003 SP3 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=7ad891a8-c3bb-4479-8282-13d629c410e3
Microsoft Word Viewer 2003 SP3 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=7ad891a8-c3bb-4479-8282-13d629c410e3
2007 Microsoft Office System and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
2007 Microsoft Office System SP1 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
Microsoft Expression Web and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
Microsoft Expression Web 2 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=27b06ee8-570a-4dc2-a230-c70d4a706245
Office SharePoint Server 2007 (32-bit editions) and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=a208f2b5-2b0d-43bb-8f8a-58d4a3fc64f5
Office SharePoint Server 2007 SP1 (32-bit editions) and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=a208f2b5-2b0d-43bb-8f8a-58d4a3fc64f5
Office SharePoint Server 2007 (optionally with SP1) (64-bit editions) and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=0735f4af-e32b-4970-bed7-b2b9323cf54c
Office Groove Server 2007 and Microsoft XML Core Services 5.0:
http://www.microsoft.com/downloads/de...=0735f4af-e32b-4970-bed7-b2b9323cf54c
Ссылки:
Concurrency strikes MSIE (potentially exploitable msxml3 flaws)
(MS08-069) Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
Microsoft XML Core Services DTD Cross-Domain Scripting PoC MS08-069
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051616.html
Журнал изменений:
12.11.2008
Изменено описание уязвимости, добавлены уязвимости #2-3. Изменены секции «Программа» и «Решение». Повышен рейтинг опасности.
23.11.2008
Добавлен PoC код к уязвимости #2.
30.04.2009
Изменена секция «Решение». Добавлены данные о дополнительном исправлении для Microsoft XML Core Services 4.0 для Windows Vista SP2 и Windows 2008 Server SP2
Блоги
TOP Новости 
Уязвимости 09 февраля, 2012
07 февраля, 2012
06 февраля, 2012
03 февраля, 2012
Подписка
Вирусы 