HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-112
Microsoft XML Core Services XMLHTTP ActiveX Control Code Execution Vulnerability

Original Issue Date: November 06, 2006
Updated on: November 15, 2006

Severity Rating: High

System Affected

Microsoft XML Core Services 4.0

Overview

A remote code execution vulnerability has been reported in Microsoft XML Core Services that could be exploited by an attacker to take complete control of the vulnerable system.

Description

The vulnerability is caused due to a memory corruption error in the XMLHTTP ActiveX Control while processing specially crafted arguments passed to a setRequestHeader()" method.

The attacker could exploit this vulnerability by creating and hosting a specially crafted webpage on a website and could persuade user to visit the website. The attacker could then execute arbitrary commands on the vulnerable system and could take complete control of the vulnerable system remotely.

This is to be noted that vulnerability is currently being exploited in the wild.

Workarounds

  • Prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer.
  • Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone.
  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.
  • Deny Access to the affected CLSID's for Microsoft XML Core Services 4.0 ({88D969C5-F192-11D4-A65F-0040963251E5}) and Microsoft XML Core Services 6.0 ({88D96A0A-F192-11D4-A65F-0040963251E5}) in the registry

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-071

References

Microsoft http://www.microsoft.com/technet/security/advisory/927892.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx

USCERT
http://www.kb.cert.org/vuls/id/585137

FrSIRT
http://www.frsirt.com/english/advisories/2006/4334

Secunia
http://secunia.com/advisories/22687/

SANS
http://isc.sans.org/diary.php?storyid=1823

CVE-Name
CVE-2006-5745

Revisions:
November 15, 2006: Workarounds, Solution and Reference.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003