SecurityvulnsSECURITYVULNS:DOC:18392Microsoft Security Bulletin MS07-061 – Critical Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
Microsoft Security Bulletin MS07-061 – Critical
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
Published: November 13, 2007
Version: 1.0
General Information
Executive Summary
This update resolves a publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.
This is a critical security update for all supported editions of Windows XP and Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by changing the way that Windows shell handles invalid URIs. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 943521. For more information, see the FAQ subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by This Update
Windows XP Service Pack 2
Remote Code Execution
Critical
MS06-045
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Remote Code Execution
Critical
MS06-045
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Remote Code Execution
Critical
MS06-045
Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2
Remote Code Execution
Critical
MS06-045
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
Remote Code Execution
Critical
MS06-045
Non-Affected Software
Operating System
Microsoft Windows 2000 Service Pack 4
Windows Vista
Windows Vista x64
Top of sectionTop of section
Frequently Asked Questions (FAQ) Related to This Security Update
I am using an older version of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which versions or editions are affected. Other versions or editions are past their support life cycle. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
It should be a priority for customers who have older versions or editions of the software to migrate to supported versions or editions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Windows URI Handling Vulnerability - CVE-2007-3896 Aggregate Severity Rating
Windows XP Service Pack 2
Critical
Remote Code Execution
Critical
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Critical
Remote Code Execution
Critical
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Critical
Remote Code Execution
Critical
Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2
Critical
Remote Code Execution
Critical
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based systems
Critical
Remote Code Execution
Critical
Top of sectionTop of section
Windows URI Handling Vulnerability - CVE-2007-3896
A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. An attacker could exploit this vulnerability by including a specially crafted URI in an application or attachment, which could potentially allow remote code execution.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3896.
Mitigating Factors for Windows URI Handling Vulnerability - CVE-2007-3896
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•
Windows 2000 Service Pack 4 is not affected
•
Windows Vista is not affected
•
Windows Vista x64 Edition is not affected
•
Microsoft has not identified a way to exploit this vulnerability on any Windows operating system that is running Internet Explorer 6
•
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•
In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. To be more at risk from this vulnerability, users would have to either click on a link that would take them to a malicious Web site or open an attachment.
Top of sectionTop of section
Workarounds for Windows URI Handling Vulnerability - CVE-2007-3896
Microsoft has not identified any workarounds for this vulnerability.
Top of sectionTop of section
FAQ for Windows URI Handling Vulnerability - CVE-2007-3896
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
The Windows shell insufficiently handles invalid URIs.
What is a URI?
A Uniform Resource Identifier (URI) is a string of characters used to act on or identify resources from the Internet or over a network. A URL is a typical example of a URI that references a resource such as a Web site. For more information about URIs, see RFC 2396.
What might an attacker use the vulnerability to do?
An attacker who has convinced a user to open an attachment in mail or to follow a link to an attacker's Web site could run arbitrary code as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker would have to create a specially crafted URI and provide the URI as input to an application on an affected system, which would then attempt to access the resource referred to it by the URI. Applications that take URIs as input from untrusted sources such as attachments in e-mail, documents, or data from the network assuming it will be safe, are exposed to this vulnerability. Under specific circumstances, processing specially crafted URI input could allow arbitrary code to be executed. In order to exploit the vulnerability, an attacker would have to convince the user to launch the attachment or application, or visit the Web site. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This vulnerability might also be exploited by compromised Web sites or Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted URIs that could exploit this vulnerability. It could also be possible to display specially crafted URIs by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
Systems running supported editions of Windows XP and Windows Server 2003 with Internet Explorer 7 installed are vulnerable.
What does the update do?
The update removes the vulnerability by changing the way that the Windows shell handles invalid URIs.
I do not have Windows Internet Explorer 7 installed. Why am I receiving this update?
The vulnerability exists in a Windows file, Shell32.dll, included in supported editions of Windows XP and Windows Server 2003. Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6, which is the browser that is included with these operating systems. As a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed.
I am using Windows Vista, am I at risk from this vulnerability?
No. Windows Vista is not affected by this vulnerability. Windows Internet Explorer 7 is included with Windows Vista but the Windows shell in Windows Vista is not affected by this vulnerability.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability had been publicly disclosed when this security bulletin was originally issued. It has been assigned the Common Vulnerability and Exposure number CVE-2007-3896. This vulnerability was first described in Microsoft Security Advisory 943521.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.
Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2007-3896.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
•
Jesper Johansson for working with us on the Windows URI Handling Vulnerability (CVE-2007-3896).
•
Carsten H. Eiram of Secunia for working with us on the Windows URI Handling Vulnerability (CVE-2007-3896).
•
Aviv Raff of Finjan for working with us on the Windows URI Handling Vulnerability (CVE-2007-3896).
•
Petko Petkov of GNUCITIZEN for working with us on the Windows URI Handling Vulnerability (CVE-2007-3896).
Support
•
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
•
V1.0 (November 13, 2007): Bulletin published.
Related
