HighProventia Desktop, Proventia Network IPS, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an attempt to abuse a vulnerability inMicrosoft XML Core Services to execute remote code.
High
Proventia Desktop: 2080, Proventia Network IPS: XPU 27.070, BlackICE PC Protection: 3.6cqn, BlackICE Server Protection: 3.6.cqn, RealSecure Network: XPU 27.070, RealSecure Server Sensor: XPU 27.070, Proventia-G 1.1 and earlier: XPU 27.070, Proventia Network IDS: XPU 27.070, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 27.070, IBM Security Server Protection for Windows: 1.0.914.2080, Proventia Server IPS for Linux technology: 27.070, Virtual Server Protection for Vmware: 1.0
Microsoft XML Core Services: 3.0, Microsoft XML Core Services: 4.0, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Word Viewer: 2003, Microsoft Office: 2003 SP2, Microsoft XML Core Services: 6.0, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Office Compatibility Pack: 2007, Microsoft XML Core Services: 5.0, Microsoft SharePoint Server, Microsoft Groove Server: 2007, Microsoft Office: 2007, Microsoft Expression Web
Unauthorized Access Attempt
Microsoft XML Core Services (MSXML) could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding invalid memory requests. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system or cause the victim's Web browser to crash.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
—OR—Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS07-042
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227
http://www.microsoft.com/technet/security/Bulletin/MS07-042.mspx
IBM Internet Security Systems Protection Alert - Aug. 14, 2007
Microsoft XML Core Services Remote Code Execution
http://www.iss.net/threats/274.html
ZDI-07-048
Microsoft Internet Explorer substringData() Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-048.html
iDefense Labs PUBLIC ADVISORY: 08.14.07
Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=576
Full-Disclosure Mailing List, Thu Aug 16 2007 - 04:32:10 CDT
MS07-042 XMLDOM substringData() PoC
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0295.html
HPSBST02255 SSRT071456 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-042 to MS07-050
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01143196&jumpid=reg_R1002_USEN
Microsoft Security Bulletin MS08-069
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
Microsoft Security Bulletin MS10-051
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
http://www.microsoft.com/technet/security/bulletin/ms10-051.mspx
ISS X-Force
Microsoft XML Core Services (MSXML) memory request code execution
http://www.iss.net/security_center/static/35195.php
CVE
CVE-2007-2223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2223