---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Microsoft XML Core Services Information Disclosure and Code Execution SECUNIA ADVISORY ID: SA22333 VERIFY ADVISORY: http://secunia.com/advisories/22333/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Microsoft XML Parser 2.x http://secunia.com/product/12261/ Microsoft XML Core Services 3.x http://secunia.com/product/12262/ Microsoft Core XML Services (MSXML) 6.x http://secunia.com/product/6473/ Microsoft Core XML Services (MSXML) 4.x http://secunia.com/product/6472/ DESCRIPTION: Two vulnerabilities have been reported in Microsoft XML Core Services, which can be exploited by malicious people to disclose certain information and compromise a vulnerable system. 1) An unspecified error exists in the XMLHTTP ActiveX control when interpreting a HTTP server-side redirect. This can be exploited to disclose certain information e.g. via a specially crafted web page. 2) A boundary error exists in the XSLT processing in MSXML. This can be exploited to cause a buffer overflow via a specially crafted web page and allows execution of arbitrary code. SOLUTION: Apply patches. Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=f9d16d74-1785-4c33-b1fc-df5258dd1089 Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=8a455c3b-213c-4395-87e9-9895f2b9a6ed Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=8a455c3b-213c-4395-87e9-9895f2b9a6ed Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=5593333f-bcd5-4750-a23d-4f7fccda6493 Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003: http://www.microsoft.com/downloads/details.aspx?FamilyId=09b77b2a-a4fd-46e2-af15-2385790c9ee7 Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=09b77b2a-a4fd-46e2-af15-2385790c9ee7 Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=31c88513-29df-475b-b9ae-a2f5c1f32a8c Microsoft XML Parser 2.6 (all versions) and Microsoft XML Core Services 3.0 (all versions) on Microsoft Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=6183a9d2-89f5-4b25-be8b-090c6e050740 Microsoft Office 2003 Service Pack 1 or Service Pack 2 with Microsoft XML Core Services 5.0 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=8A37C111-D8E9-4C2E-9674-169B3331491C Microsoft XML Core Services 4.0 on Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5 Microsoft XML Core Services 4.0 on Microsoft Windows XP SP1 and Microsoft Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5 Microsoft XML Core Services 4.0 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=961f3c95-ec4e-4561-ab27-b3180e9139c5 Microsoft XML Core Services 6.0 on Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c Microsoft XML Core Services 6.0 on Microsoft Windows XP SP1 and Microsoft Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c Microsoft XML Core Services 6.0 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=fd513435-fa6d-407c-bedc-5fd03e5b7d6c PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: MS06-061 (KB924191): http://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------