Content
(MS07-021) Microsoft MsgBox (CSRSS) Remote Code Execution Vulnerability (930178)
- Type
- Logic error
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website with malicious content
- Rating
- Medium
- CVE reference
- CVE-2006-6696,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows XP SP0 - SP2,
- Windows 2003 SP0 - SP1,
- Windows 2000 SP4,
- Vista SP0,
- Summary
- A vulnerability in Microsoft Windows may allow for remote code execution attacks. A user would have to visit a malicious Web site for an attack to occur.
Tab Navigation
Description
Microsoft Windows is an industry-standard operating system developed by Microsoft. The Microsoft Windows MessageBox API allows for messages to be sent by non-interactive services to the Windows Client/Server Runtime Server Subsystem (CSRSS) to alert of an error. A vulnerability in Microsoft Windows Client/Server Runtime Server Subsystem (CSRSS) may allow for remote code execution attacks or local privilege escalation attacks. The flaw lies in processing of specially-crafted LPC requests which begin with a "\??\" or contain a "\Device" ANSI string, sent by the MessageBox function. Code execution resulting from successful exploitation would be at SYSTEM level. In the remote code execution scenario, a user would have to visit a malicious Web site for an attack to occur.
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft (930178): http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS07-021) Microsoft MsgBox (CSRSS) Remote Code Execution Vulnerability (930178)
- Signature identifier:
- 4815
- Release date:
- 12/28/2006
Additional Resources
Microsoft Windows XP/2003/Vista memory corruption 0day.
http://seclists.org/fulldisclosure/2006/Dec/0379.html
New report of a Windows vulnerability
http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx
Microsoft Security Bulletin MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
All Information
Timeline -
4/27/2007
Vendor has supplied information for a non-security related issue.
4/10/2007
Vendor has provided a patch.
12/31/2006
A proof of concept has been released.
12/29/2006
A proof of concept has been released.
12/22/2006
Vendor has provided information on the vulnerability.
12/21/2006
Vulnerability information has been publicly disclosed.
12/21/2006
An exploit scenario has been released.
12/20/2006
Exploit code resulting in a denial of service has been released.
Description -
Microsoft Windows is an industry-standard operating system developed by Microsoft. The Microsoft Windows MessageBox API allows for messages to be sent by non-interactive services to the Windows Client/Server Runtime Server Subsystem (CSRSS) to alert of an error. A vulnerability in Microsoft Windows Client/Server Runtime Server Subsystem (CSRSS) may allow for remote code execution attacks or local privilege escalation attacks. The flaw lies in processing of specially-crafted LPC requests which begin with a "\??\" or contain a "\Device" ANSI string, sent by the MessageBox function. Code execution resulting from successful exploitation would be at SYSTEM level. In the remote code execution scenario, a user would have to visit a malicious Web site for an attack to occur.
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft (930178): http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS07-021) Microsoft MsgBox (CSRSS) Remote Code Execution Vulnerability (930178)
- Signature identifier:
- 4815
- Release date:
- 12/28/2006
Additional Resources
Additional Resources -
Microsoft Windows XP/2003/Vista memory corruption 0day.
http://seclists.org/fulldisclosure/2006/Dec/0379.html
New report of a Windows vulnerability
http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx
Microsoft Security Bulletin MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
