Summary
This host is missing a critical security update according to Microsoft Bulletin MS07-034.
Impact
Successful exploitation allows remote attackers to gain access to sensitive information that is associated with the external domain.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx
Insight
The flaw is due to
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets the MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions.
- The way local or UNC navigation requests are handled in Windows Mail.
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets HTTP headers when returning MHTML content.
- MHTML protocol handler, which passes Content-Disposition notifications back to Internet Explorer.
Affected
Microsoft Windows XP Service Pack 2 and prior.
Microsoft Windows 2K3 Service Pack 2 and prior.
Microsoft Windows Vista
References
Severity
Classification
-
CVE CVE-2006-2111, CVE-2007-1658, CVE-2007-2225 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Bluetooth Stack Could Allow Remote Code Execution Vulnerability (951376)
- Microsoft .NET Framework and Silverlight Remote Code Execution Vulnerability (2514842)
- Cumulative Patch for Internet Information Services (Q327696)
- Internet Information Services (IIS) FTP Service Remote Code Execution Vulnerability (2489256)
- Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)