PROBLEM: | A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-onuser. |
PLATFORM: | Windows 2000 Service Pack 4 Microsoft XML Core Services 3.0, 4.0, 6.0 Windows XP Service Pack 2 Professional x64 Edition Servcie pack 2 Windows Server 2003 Service Pack 1, 2 x64 Edition x64 Edition Service Pack 2 w/SP1, 2 for Itanium-based Systems Windows Vista x64 Edition Office Software Microsoft Office 2003 Service Pack 2 2007 Microsoft Office System Microsoft Office SharePoint Server Microsoft Office Groove Server 2007 |
DAMAGE: | Could allow remote code execution. |
SOLUTION: | Upgrade to the appropriate version. |
VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. If the user is logged on with administrative user rights, an attacker could take complete control of the affected system. |
LINKS: | |
CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/r-316.shtml |
ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS07-042.mspx |
CVE: | CVE-2007-2223 |
REVISION HISTORY: 08/16/2007 - revised R-316 to reflect changes Microsoft has made in MS07-042 where they corredted file manifest information for Microsoft XML Core Services 4.0. 09/28/2007 - revised R-316 to reflect changes Microsoft has made in MS07-042 where they added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Expression Web as affected products. The bulletin has also been updated to inform customers that a potential reliability issue exists in applications that have installed Microsoft XML Core Services 4.0 on Windows Vista. 01/10/2008 - revised R-316 to reflect changes Microsoft has made in MS07-042 where they added Microsoft Word Viewer 2003 as an affected product. Also an Update FAQ clarifying the kill bit for Microsoft XML Parser 2.6 and its applicability to this security update. 06/27/2008 - revised R-316 to reflect changes Microsoft has made in MS07-042 where they added added Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista x64 Edition Service Pack 1, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems as affected software. This is a detection update only. There are no changes to the binaries. [***** Start Microsoft Security Bulletin (MS07-042) *****]
Version: 4.0
Security Update Deployment |
* Windows 2000 (all editions)
* Windows XP (all editions)
* Windows Server 2003 (all editions)
* Windows Vista (all editions)
* Office 2003 Service Pack 2
* 2007 Microsoft Office System
* Microsoft Office SharePoint Server and Microsoft Office Groove Server 2007
* Microsoft XML Core Services 4 When Installed on Windows (all versions)
* Microsoft XML Core Services 6 When Installed on Windows (all versions)
[***** End Microsoft Security Bulletin (MS07-042) *****]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org