Content
(MS06-071) Microsoft XML Core Services Remote Code Execution Vulnerability (928088)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website or e-mail with malicious content
- Rating
- High
- CVE reference
- CVE-2006-5745,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows XP SP0 - SP2,
- Windows 2003 SP0 - SP1,
- Windows 2000 SP4,
- XML Core Services 4.0,
- XML Core Services 6.0,
- Summary
- An unspecified vulnerability exists in Microsoft XML Core Services 4.0 that may allow for remote code execution attacks. A user would have to visit a malicious website or open an HTML email for an attack to be successful.
Tab Navigation
Description
Microsoft XML Core Services is an XML-development framework for developers who work using JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio. A vulnerability exists in Microsoft XML Core Services 4.0 that may allow for remote code execution. The flaw is unspecified, but exists in the XMLHTTP 4.0 ActiveX Control. A user would have to visit a malicious website using Internet Explorer or open an HTML email for an attack to occur. A failed attack may result in denial of service (DoS).
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft (KB928088): http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-071) Microsoft XML Core Services Remote Code Execution Vulnerability (928088)
- Signature identifier:
- 4729
- Release date:
- 11/7/2006
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP: Malicious XML File
- Signature identifier:
- 0x4022F200
- Release date:
- 11/8/2006
- First released in:
- 3.1.24
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Internet Explorer Buffer Overflow Vulnerability
- Signature identifier:
- 1146
- Release date:
- 6/24/2003
- First released in:
- 4.0
McAfee Host IPS
McAfee Host IPS is proactively protecting custmers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Suspicious Function Invocation
- Signature identifier:
- 432
- Release date:
- 2/21/2006
- First released in:
- security content update 321
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft XML Core Services Vulnerability
- Signature identifier:
- 3787
- Release date:
- 11/14/2006
- First released in:
- security content 739
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS Buffer Overflow Protection (BOP) protect against many buffer overflow exploits. We have found that VSE8.0i and MVS BOP are not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs has DAT coverage for this vulnerability and will update this coverage as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
McAfee VirusScan Enterprise 8.5i (VSE8.5i) /Total Protection for Small Business (ToPS SB) Buffer Overflow Protection
Out of the box, VSE8.5i and ToPS SB protect against many buffer overflow exploits. We have found that VSE8.5i and ToPS SB are protecting against some, but not all known exploits of this vulnerability. McAfee Avert Labs will update DAT coverage for this vulnerability as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 11/29/2006
- First released in:
- build 354
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability.
- Signature:
- Exploit-XMLCoreSrvcs
- Release date:
- 11/4/2006
- First released in:
- DAT 4889
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability.
- Signature:
- JS/Exploit-BO.gen
- Release date:
- 12/29/2004
- First released in:
- DAT 4417
Additional Resources
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/927892.mspx
Microsoft Security Advisory (927892) Posted
http://blogs.technet.com/msrc/archive/2006/11/04/microsoft-security-advisory-927892-posted.aspx
Microsoft Security Bulletin: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx
All Information
Timeline -
11/1/2007
An exploit is available to subscribers of Immunity's Canvas toolbox.
11/14/2006
Vendor has provided a patch.
11/4/2006
Vendor has provided information on the vulnerability.
11/3/2006
Vendor has provided information on the vulnerability.
Description -
Microsoft XML Core Services is an XML-development framework for developers who work using JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio. A vulnerability exists in Microsoft XML Core Services 4.0 that may allow for remote code execution. The flaw is unspecified, but exists in the XMLHTTP 4.0 ActiveX Control. A user would have to visit a malicious website using Internet Explorer or open an HTML email for an attack to occur. A failed attack may result in denial of service (DoS).
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft (KB928088): http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-071) Microsoft XML Core Services Remote Code Execution Vulnerability (928088)
- Signature identifier:
- 4729
- Release date:
- 11/7/2006
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP: Malicious XML File
- Signature identifier:
- 0x4022F200
- Release date:
- 11/8/2006
- First released in:
- 3.1.24
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Internet Explorer Buffer Overflow Vulnerability
- Signature identifier:
- 1146
- Release date:
- 6/24/2003
- First released in:
- 4.0
McAfee Host IPS
McAfee Host IPS is proactively protecting custmers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Suspicious Function Invocation
- Signature identifier:
- 432
- Release date:
- 2/21/2006
- First released in:
- security content update 321
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft XML Core Services Vulnerability
- Signature identifier:
- 3787
- Release date:
- 11/14/2006
- First released in:
- security content 739
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS Buffer Overflow Protection (BOP) protect against many buffer overflow exploits. We have found that VSE8.0i and MVS BOP are not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs has DAT coverage for this vulnerability and will update this coverage as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
McAfee VirusScan Enterprise 8.5i (VSE8.5i) /Total Protection for Small Business (ToPS SB) Buffer Overflow Protection
Out of the box, VSE8.5i and ToPS SB protect against many buffer overflow exploits. We have found that VSE8.5i and ToPS SB are protecting against some, but not all known exploits of this vulnerability. McAfee Avert Labs will update DAT coverage for this vulnerability as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 11/29/2006
- First released in:
- build 354
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability.
- Signature:
- Exploit-XMLCoreSrvcs
- Release date:
- 11/4/2006
- First released in:
- DAT 4889
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability.
- Signature:
- JS/Exploit-BO.gen
- Release date:
- 12/29/2004
- First released in:
- DAT 4417
Additional Resources
Additional Resources -
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/927892.mspx
Microsoft Security Advisory (927892) Posted
http://blogs.technet.com/msrc/archive/2006/11/04/microsoft-security-advisory-927892-posted.aspx
Microsoft Security Bulletin: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx
