Vulnerability in Microsoft XML HTTP Request Handling

Notification Type: Internet Security Systems Protection Alert
Notification Date: November 4, 2006
Notification Version: 1.3
   
Name: Vulnerability in Microsoft XML HTTP Request Handling
Public disclosure/
In the wild date:		 November 3, 2006
Description:

ISS X-Force was the first research group to discover active exploitation of an undislosed vulnerability in Microsoft’s XML HTTP request handling. 

Current exploitation of this vulnerability through Internet Explorer.  Specifically, these exploits target Internet Explorer through a vulnerable ActiveX control.  Successful exploitation of this vulnerability may result in remote code execution.

All ISS IPS/IDS products and host products had pre-emptive protection against this threat through heuristic Javascript/Shellcode exploit detection signatures and through Buffer Overflow Exploit Prevention (BOEP).  In addition to this pre-emptive protection, ISS has provided a third IPS/IDS signature to prevent this specific vulnerability from being exploited.

Our web-filtering technology is automatically updated to protect against malicious sites that attempt to host this kind of malicious material.  Every customer using our filtering technology or database of URL's was protected within moments of this discovery in early Nov.

 

ISS Coverage

Product

 Content Version

Network Sensor 7.0
Proventia A
Proventia IPS (G/GX) prior to Firmware Version 1.2
Server Sensor 7.0

 24.50

Proventia IPS (G/GX) Firmware Version 1.2 or
later
Proventia M
Proventia Server (Linux)

1.89

Proventia Server (Windows)

1.0.914.1900

Proventia Desktop

8.0.x.1900

RealSecure Desktop 7.0

EPV

BlackICE PC Protection 3.6

CPV

Proventia Web

early Nov update for malicious websites

Propagation Techniques

ISS Protection

 Available
web browsing, email link, etc.

JavaScript_NOOP_Sled
JavaScript_Shellcode_Detected
HTML_MSXML_Memory_Corruption

Buffer Overflow Exploit Preventiion (BOEP)

Web filtering

Mar 24, 2006
Mar 28, 2006
Nov 7, 2006

May 10, 2005

 Nov 2 2006

Detailed Description
Business Impact: An attacker may host a maliciously crafted HTML document on a website and entice the victim to click on a link, which will load the document in their browser. Once the document is loaded, the attacker will be able to execute arbitrary code on the victim’s machine with the permissions of the victim user. This could lead to loss of confidential information, disruption of business, or further compromise of internal systems and networks.
CVSS: Base Score:  8.0
  Access Vector:  Remote
Access Complexity:  High
Authentication:  Not Required
Confidentiality Impact:  Complete
Integrity Impact:  Complete
Availability Impact:  Complete
Impact Bias:  Normal
Adjusted Temporal Score:  7.6
  Exploitability:  Functional
Remediation Level:  Unavailable
Report Confidence:  Confirmed
Affected Products: Microsoft XML Core Services 4.0 when installed on Windows 2000 Service Pack 4

Microsoft XML Core Services 4.0 when installed on Microsoft Windows XP
Service Pack 2

Microsoft XML Core Services 4.0 when installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Technical Description: This vulnerability resides in some of the core XML engines within Microsoft Windows.  It is the result of the engine’s inability to properly handle improper arguments passed to one of the methods associated with the XML request object.

This improper handling results in memory corruption and ultimately may result in remote code execution.

While many third party applications may make use of the vulnerable request object, X-Force feels that there are such specific requirements to trigger the vulnerable condition, that this is most likely only exploitable by instantiating the vulnerable object within a web browser.

References
X-Force Database http://xforce.iss.net/xforce/xfdb/30004
Microsoft http://www.microsoft.com/technet/security/advisory/927892.mspx

Revision History

Version 1.0 November 4, 2006 - Initial alert release

Version 1.1 November 6, 2006 - Added confirmation that buffer overflow exploit prevention stopped these exploits

Version 1.2 November 7, 2006 - Changed affected versions to focus on vulnerable component and added additional coverage information

Verison 1.3 November 8, 2006 - Added content filtering information and converted to new alert format.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.