Summary
This host is missing a critical security update according to Microsoft Bulletin MS07-034.
Impact
Successful exploitation allows remote attackers to gain access to sensitive information that is associated with the external domain.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx
Insight
The flaw is due to
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets the MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions.
- The way local or UNC navigation requests are handled in Windows Mail.
- Error in Windows because the 'MHTML' protocol handler incorrectly interprets HTTP headers when returning MHTML content.
- MHTML protocol handler, which passes Content-Disposition notifications back to Internet Explorer.
Affected
Microsoft Windows XP Service Pack 2 and prior.
Microsoft Windows 2K3 Service Pack 2 and prior.
Microsoft Windows Vista
References
Severity
Classification
-
CVE CVE-2006-2111, CVE-2007-1658, CVE-2007-2225 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Cumulative Security Update for Internet Explorer (937143)
- Microsoft .NET Framework Privilege Elevation Vulnerability (2769324)
- Buffer Overrun in Messenger Service (828035)
- Microsoft IIS Authentication Remote Code Execution Vulnerability (982666)
- Microsoft Foundation Class (MFC) Library Remote Code Execution Vulnerability (2500212)