Summary
This host is missing a critical security update according to Microsoft Bulletin MS07-034.
Impact
Successful exploitation allows remote attackers to gain access to sensitive information that is associated with the external domain.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx
Insight
The flaw is due to
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets the MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions.
- The way local or UNC navigation requests are handled in Windows Mail.
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets HTTP headers when returning MHTML content.
- MHTML protocol handler, which passes Content-Disposition notifications back to Internet Explorer.
Affected
Microsoft Windows XP Service Pack 2 and prior.
Microsoft Windows 2K3 Service Pack 2 and prior.
Microsoft Windows Vista
References
Severity
Classification
-
CVE CVE-2006-2111, CVE-2007-1658, CVE-2007-2225 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Cumulative Security Update for Internet Explorer (972260)
- Microsoft .NET Framework Privilege Elevation Vulnerability (3005210)
- Host Integration Server RPC Service Remote Code Execution Vulnerability (956695)
- Microsoft Data Analyzer ActiveX Control Vulnerability (978262)
- ADODB.Stream object from Internet Explorer (KB870669)