Microsoft Security Release for June 2007

[Symantec]

Microsoft Security Release for June 2007
<p>Hello again... this month's update contains 6 advisories with a total of 15 patched vulnerabilities. Major apps for this month were once again IE and Outlook/Windows Mail, coming in with 6 and 4 patched vulnerabilities respectively. This month we also see updates for file-based attack vectors against Visio, remotely exploitable vulnerabilities in both a dev library and a security package patched, and a fairly low profile information disclosure vulnerability in Vista dealt with.<br />
As usual details are given below in order of descending urgency. Happy patching, and we'll be back for another round next month...</p>

<p><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-034.mspx">MS07-034</a>; <a href="http://support.microsoft.com/kb/929123">KB929123</a><br />
<strong>Cumulative Security Update for Outlook Express and Windows Mail</strong></p>

<p>This release addresses four issues in Windows Mail (vista) and Outlook Express 6 (all others). It also replaces previous bulletins MS06-016, Ms06-043, and MS06-076. Three of the four issues are various ways attackers can access cookies and other information from other domains via manipulation of MHTML references.</p>

<p>• Microsoft Windows Vista Windows Mail Local File Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/23103">23103</a>; CVE: CVE-2007-1658 <br />
(Symantec Urgency Rating: 8.5; MS Rating: Critical)<br />
This issue was first disclosed on Mar 23 2007, and affects only the Vista mail client.<br />
Microsoft Vista Windows Mail executes any scripts or program files that have an associated folder with the same name. An attacker must entice a victim into opening a maliciously crafted link using the affected application. When the issue is triggered, the attacker-requested file runs without requiring any further actions by the user.<br />
Attackers may exploit this issue to execute local or locally-accessible files, including those on network shares. </p>

<p>• Outlook Express MHTML URI Handler Information Disclosure Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/17717">17717</a>; CVE: CVE-2006-2111 <br />
(Symantec Urgency Rating: 7.5; MS Maximum Rating: Important)<br />
This vulnerability has been public knowledge since Apr 27 2006. Since then there had been some debate about whether browsers were affected directly, and if IE7 was vulnerable - this was clarified in a blog post from MS in October, and is now patchable.<br />
Outlook Express and Windows Mail are prone to a cross-domain information-disclosure vulnerability. The problem is that the browser fails to correctly handle redirections with the 'mhtml:' URI handler. <br />
This vulnerability can occur when a user follows a 'mhtml:' link on a malicious page that leads to a site in another domain. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain.<br />
<br />
• Microsoft Outlook Express MHTML URL Redirect Information Disclosure Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24392">24392</a>; CVE: CVE-2007-2225 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Important)<br />
Outlook Express is prone to a cross-domain information-disclosure vulnerability. The MHTML protocol handler permits encoded documents to be rendered in applications. <br />
This vulnerability can occur when a user follows an 'mhtml:' link in an HTML email or on a malicious page. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain. </p>

<p>• Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24410">24410</a>; CVE: CVE-2007-2227 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Moderate) <br />
This is the third and last of the cross-domain information disclosure issues, again related to MHTML handling.</p>

<p><br />
<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx">MS07-031</a>;<a href="http://support.microsoft.com/kb/935840">KB935840</a><br />
<strong>Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution</strong></p>

<p>This affects all currently supported Microsoft operating systems up to (but not including) Vista. The impact potential is dependant on the target OS; XP can be caused to execute arbitrary code; all others can be crashed remotely. Due to this discrepancy, the MS rating is different per platform - Critical on XP, Moderate or Important on the rest.</p>

<p>• Microsoft Windows Schannel Security Remote Code Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24416">24416</a>; CVE: CVE-2007-2218 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
<br />
The Microsoft Windows Schannel security package is used to provide 128-bit strong encryption in Internet Explorer.<br />
An attacker can exploit a vulnerability in this package by enticing a victim into visiting a malicious web page. This vulnerability occurs during the processing and validation of server-sent digital signatures by the client application. Expect to see exploits for this added to the currently available browser attack toolkits in the near future.</p>

<p><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-035.mspx">MS07-035</a>;<a href="http://support.microsoft.com/kb/935839">KB935839</a><br />
<strong>Vulnerability in Win 32 API Could Allow Remote Code Execution</strong></p>

<p>• Microsoft Win32 API Parameter Validation Remote Code Execution Vulnerability<br />
BID <a href="http://www.securityfocus.com/bid/24370">24370</a>; CVE: CVE-2007-2219 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
This was originally disclosed in April of this year. The library is prone to a remote code-execution vulnerability. Specifically, this vulnerability occurs when the Win32 API component parses unspecified parameters that are passed to it from other applications such as Internet Explorer. An attacker may trigger this vulnerability by convincing a victim user to follow a malicious URI, ultimately resulting in the execution of attacker-supplied code.</p>

<p><br />
<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx">MS07-033</a>;<a href="http://support.microsoft.com/kb/933566">KB933566</a><br />
<strong>Cumulative Security Update for Internet Explorer</strong></p>

<p>This update addresses 6 vulnerabilities in IE, and replaces MS07-027 as well. IE versions 5 to 7 are all affected. Details on some of these are still limited, and the BID writeups will be updated as more information becomes available. All of these are rated "Important" by Microsoft on the Server 2003 platform due to the availability of Enhanced Security Configuration. </p>

<p>• Microsoft Internet Explorer Unspecified Uninitialized Memory Corruption Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24418">24418</a>; CVE: CVE-2007-1751 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
Microsoft Internet Explorer is prone to a memory-corruption vulnerability when accessing objects that are improperly instantiated or deleted. </p>

<p>• Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24423">24423</a>; CVE: CVE-2007-1750 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
Microsoft Internet Explorer fails to properly handle certain CSS data.</p>

<p>• Microsoft Internet Explorer Speech API 4 COM Object Instantiation Memory Corruption Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24426">24426</a>; CVE: CVE-2007-2222 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
Microsoft Internet Explorer is prone to a memory-corruption vulnerability when instantiating certain COM objects.<br />
The vulnerability exists in the speech control of the Speech API 4. The following COM object CLSIDs and corresponding DLLs are affected:</p>

<p> - {4E3D9D1F-0C63-11D1-8BFB-0060081841DE}, Xlisten.dll <br />
- {EEE78591-FE22-11D0-8BEF-0060081841DE}, Xvoice.dll</p>

<p>• Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24372">24372</a>; CVE: CVE-2007-0218 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
This issue occurs because of the flawed manner in which certain COM objects (which were not intended to be instantiated from a browser) return values to the browser when called by a web page. These COM objects are located in the 'urlmon.dll' library.<br />
The following CLSIDs are affected:<br />
- {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}<br />
- {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}<br />
- {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B}<br />
- {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B}<br />
- {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}<br />
- {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}<br />
- {3DD53D40-7B8B-11D0-B013-00AA0059CE02}</p>

<p>• Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24429">24429</a>; CVE: CVE-2007-3027 <br />
(Symantec Urgency Rating: 7.1; MS Maximum Rating: Critical)<br />
Microsoft Internet Explorer is prone to remote code-execution vulnerability because of a race condition in its language-pack installation support. <br />
Specifically, this issue occurs when Internet Explorer attempts to render an HTML document that requires language character sets that do not already exist on the affected computer. In this scenario, an install-on-demand feature attempts to download and install the required files. A race-condition may occur when multiple language packs are simultaneously installed, potentially resulting in memory corruption.</p>

<p>• Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/22966">22966</a>; CVE: CVE-2007-1499 <br />
(Symantec Urgency Rating: 6.1; MS Maximum Rating: Critical)<br />
This issue was publicly disclosed in March of this year. Microsoft Internet Explorer versions 5 to 7 (inclusive) are prone to a webpage-spoofing vulnerability in the "Navigation cancelled" page. This issue arises when rendering the local 'Navigation Canceled' resource page 'res://ieframe.dll/navcancel.htm'.When page navigation is canceled, the intended URI path is appended to the local resource path following a '#' character (e.g. 'res://ieframe.dll/navcancel.htm#http://www.example.com'). A 'Refresh the page' web link is generated and rendered on the page. Arbitrary script code contained in the destination URI will be executed when a user follows the link. An attacker can exploit this issue to steal cookie-based authentication credentials and obtain sensitive information that may aid in further attacks. </p>

<p></p>

<p><br />
<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-030.mspx">MS07-030</a>;<a href="http://support.microsoft.com/kb/927051">KB927051</a> <br />
<strong>Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution</strong></p>

<p>Two previously unpublished issues in Visio get addressed this month, both of which can allow for arbitrary code execution in the context of the victim user. Visio 2002 and 2003 are affected; Visio 2007 is not. Attacks can come in the form of .VSS, .VST, or .VSD files for both of them.</p>

<p>• Microsoft Visio Packed Objects Remote Code Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24384">24384</a>; CVE: CVE-2007-0936 <br />
(Symantec Urgency Rating: 7.1; MS Rating: Important)<br />
Visio is prone to a remote code-execution vulnerability when parsing packed objects within .VSS, .VSD, or .VST files.</p>

<p>• Microsoft Visio Version Number Remote Code Execution Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24349">24349</a>; CVE: CVE-2007-0934 <br />
(Symantec Urgency Rating: 7.1; MS Rating Important <br />
This issue occurs when the application processes the 'version number' field of .VSS, .VSS, and .VST files.</p>

<p><br />
<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-032.mspx">MS07-032</a>;<a href="http://support.microsoft.com/kb/931213">KB931213</a><br />
<strong>Vulnerability in Windows Vista Could Allow Information Disclosure</strong></p>

<p>• Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability <br />
BID <a href="http://www.securityfocus.com/bid/24411">24411</a>; CVE: CVE-2007-2229 <br />
(Symantec Urgency Rating: 5.2; MS Rating: Moderate)<br />
Microsoft Windows Vista is prone to a local information-disclosure vulnerability. This issue occurs because the application permits non-privileged users to access local user information stores contained within the registry and local file system.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/06/microsoft_security_release_for.html
http://www.symantec.com/enterprise/security_response/weblog/2007/06/microsoft_security_release_for.html
Tue, 12 Jun 2007 15:09:00 -0800