Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Microsoft Updates for Multiple Vulnerabilities
Informations
Name TA07-345A First vendor Publication 2007-12-11
Vendor US-CERT Last vendor Modification 2007-12-11
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands.

I. Description

Microsoft has released updates to address vulnerabilities that affect Microsoft Windows and Internet Explorer as part of the Microsoft Security Bulletin Summary for December 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands. For more information, see the US-CERT Vulnerability Notes Database.

II. Impact

A remote, unauthenticated attacker could execute arbitrary commands on a vulnerable system.

III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the December 2007 security bulletins. The security bulletins describe any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA07-345A.html

CWE : Common Weakness Enumeration

% Id Name
38 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
23 % CWE-399 Resource Management Errors
15 % CWE-264 Permissions, Privileges, and Access Controls
15 % CWE-94 Failure to Control Generation of Code ('Code Injection')
8 % CWE-189 Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:3622
 
Oval ID: oval:org.mitre.oval:def:3622
Title: Windows Media Format Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file.
Family: windows Class: vulnerability
Reference(s): CVE-2007-0064
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Windows Media Format Runtime 7.1
Windows Media Format Runtime 9.0
Windows Media Format Runtime 9.5
Windows Media Format Runtime 11
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:3912
 
Oval ID: oval:org.mitre.oval:def:3912
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Description: Unspecified vulnerability in the Windows Advanced Local Procedure Call (ALPC) in the kernel in Microsoft Windows Vista allows local users to gain privileges via unspecified vectors involving "legacy reply paths."
Family: windows Class: vulnerability
Reference(s): CVE-2007-5350
Version: 3
Platform(s): Microsoft Windows Vista
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4208
 
Oval ID: oval:org.mitre.oval:def:4208
Title: Vulnerability in SMBv2 Could Allow Remote Code Execution
Description: Unspecified vulnerability in Server Message Block Version 2 (SMBv2) signing support in Microsoft Windows Vista allows remote attackers to force signature re-computation and execute arbitrary code via a crafted SMBv2 packet, aka "SMBv2 Signing Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-5351
Version: 1
Platform(s): Microsoft Windows Vista
Product(s): SMBv2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4287
 
Oval ID: oval:org.mitre.oval:def:4287
Title: Microsoft DirectX Code Execution Vulnerability
Description: Buffer overflow in Microsoft DirectShow in Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted (1) WAV or (2) AVI file.
Family: windows Class: vulnerability
Reference(s): CVE-2007-3895
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): DirectX
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4332
 
Oval ID: oval:org.mitre.oval:def:4332
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via "unexpected method calls to HTML objects," aka "DHTML Object Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-5347
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4474
 
Oval ID: oval:org.mitre.oval:def:4474
Title: Vulnerability in Message Queuing Could Allow Remote Code Execution
Description: Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
Family: windows Class: vulnerability
Reference(s): CVE-2007-3039
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4480
 
Oval ID: oval:org.mitre.oval:def:4480
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via a crafted website using Javascript that creates, modifies, deletes, and accesses document objects using the tags property, which triggers heap corruption, related to uninitialized or deleted objects, a different issue than CVE-2007-3902 and CVE-2007-3903, and a variant of "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-5344
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4520
 
Oval ID: oval:org.mitre.oval:def:4520
Title: Microsoft DirectX Code Execution Vulnerability
Description: Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted SAMI file.
Family: windows Class: vulnerability
Reference(s): CVE-2007-3901
Version: 3
Platform(s): Microsoft Windows 2000
Product(s): DirectX
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4553
 
Oval ID: oval:org.mitre.oval:def:4553
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code via uninitialized or deleted objects used in repeated calls to the (1) cloneNode or (2) nodeValue JavaScript function, a different issue than CVE-2007-3902 and CVE-2007-5344, a variant of "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-3903
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4582
 
Oval ID: oval:org.mitre.oval:def:4582
Title: Uninitialized Memory Corruption Vulnerability
Description: Use-after-free vulnerability in the CRecalcProperty function in mshtml.dll in Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code by calling the setExpression method and then modifying the outerHTML property of an HTML element, one variant of "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-3902
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:4584
 
Oval ID: oval:org.mitre.oval:def:4584
Title: Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege
Description: Buffer overflow in Macrovision SafeDisc secdrv.sys before 4.3.86.0, as shipped in Microsoft Windows XP SP2, XP Professional x64 and x64 SP2, Server 2003 SP1 and SP2, and Server 2003 x64 and x64 SP2 allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL, as originally discovered in the wild.
Family: windows Class: vulnerability
Reference(s): CVE-2007-5587
Version: 1
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Macrovision
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 15
Application 3
Application 27
Application 1
Application 5
Application 1
Os 2

SAINT Exploits

Description Link
Microsoft Message Queuing queue name buffer overflow More info here
Microsoft DirectX SAMI parser buffer overflow More info here

ExploitDB Exploits

id Description
2008-01-08 Microsoft DirectX SAMI File Parsing - Remote Stack Overflow Exploit
2007-12-21 MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)

OpenVAS Exploits

Date Description
2011-01-14 Name : Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
File : nvt/gb_ms07-063.nasl
2011-01-14 Name : Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
File : nvt/gb_ms07-064.nasl
2011-01-14 Name : Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
File : nvt/gb_ms07-066.nasl
2011-01-14 Name : Vulnerability in Windows Media File Format Could Allow Remote Code Execution
File : nvt/gb_ms07-068.nasl
2011-01-14 Name : Microsoft Internet Explorer mshtml.dll Remote Memory Corruption Vulnerability...
File : nvt/gb_ms07-069.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
41429 Macrovision SafeDisc secdrv.sys Crafted METHOD_NEITHER IOCTL Local Overflow

39127 Microsoft Windows DirectX WAV / AVI File Parsing Arbitrary Code Execution

39126 Microsoft Windows DirectX SAMI File Parsing Arbitrary Code Execution

A buffer overflow exists in DirectX. The DirextShow SAMI parser fails to validate SAMI files resulting in a stack overflow. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.
39125 Microsoft Windows Vista SMBv2 Signing Unspecified Remote Code Execution

39124 Microsoft Windows Vista Kernel Legacy Reply Path Validation Local Privilege E...

Windows Vista contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified in Windows Advanced Local Procedure Call (ALPC). This flaw may lead to a loss of integrity.
39123 Microsoft Windows Message Queuing MSMQ Message Handling Arbitrary Code Execution

A stack overflow exists in Windows. The Message Queuing Service fails to validate information received via the RPC interface resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
39122 Microsoft Windows Media Format Runtime ASF Parsing Arbitrary Code Execution

A buffer overflow exists in Windows. The Windows Media Player fails to validate ASF files resulting in a heap overflow. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.
39121 Microsoft IE DHTML Object Memory Corruption

An unspecified memory corruption flaw exists in Internet Explorer. With a specially crafted web page, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.
39120 Microsoft IE Element Tag Uninitialized Memory Corruption

A heap overflow exists in Internet Explorer. The handling of document objects may cause the document model in memory to become unstable resulting in a heap overflow. With a specially crafted web page, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
39119 Microsoft IE Object cloneNode / nodeValue Function Uninitialized Memory Corru...

A memory corruption flaw exists in Internet Explorer. The 'cloneNode' and 'nodeValue' functions are used improperly resulting in memory corruption. With a specially crafted call, an attacker can cause arbitary code execution resulting in a loss of integrity.
39118 Microsoft IE Object setExpression Function Memory Corruption

Internet Explorer contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when theCRecalcProperty function in mshtml.dll references memory that has already been freed. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

Information Assurance Vulnerability Management (IAVM)

Date Description
2007-12-13 IAVM : 2007-A-0056 - Microsoft Windows Media File Format Vulnerability
Severity : Category II - VMSKEY : V0015588
2007-12-13 IAVM : 2007-T-0049 - Microsoft Windows SMBv2 Remote Code Execution Vulnerability
Severity : Category I - VMSKEY : V0015589

Snort® IPS/IDS

Date Description
2017-08-01 Microsoft Internet Explorer clone object memory corruption attempt
RuleID : 43398 - Revision : 1 - Type : BROWSER-IE
2017-07-25 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 43270 - Revision : 1 - Type : FILE-MULTIMEDIA
2017-07-25 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 43269 - Revision : 1 - Type : FILE-MULTIMEDIA
2016-07-08 Microsoft Internet Explorer DOM object cache management memory corruption att...
RuleID : 39156 - Revision : 1 - Type : BROWSER-IE
2016-07-08 Microsoft Internet Explorer DOM object cache management memory corruption att...
RuleID : 39155 - Revision : 1 - Type : BROWSER-IE
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21775 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21774 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21773 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21772 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21771 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 21770 - Revision : 5 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows ASF parsing memory corruption attempt
RuleID : 17711 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 VMware Workstation DHCP service integer overflow attempt
RuleID : 17662 - Revision : 13 - Type : SERVER-OTHER
2014-01-10 Microsoft Internet Explorer object reference memory corruption attempt
RuleID : 17622 - Revision : 11 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer DOM object cache management memory corruption att...
RuleID : 17554 - Revision : 9 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer clone object memory corruption attempt
RuleID : 17303 - Revision : 12 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer DOM object cache management memory corruption att...
RuleID : 16067 - Revision : 11 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer location.replace memory corruption attempt
RuleID : 16065 - Revision : 11 - Type : BROWSER-IE
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal object call overflow attempt
RuleID : 14627 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal object call overflow attempt
RuleID : 14626 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal little endian object call ove...
RuleID : 14625 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal little endian object call ove...
RuleID : 14624 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP v4 mqqm QMCreateObjectInternal overflow attempt
RuleID : 14623 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt
RuleID : 14622 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat little endian object call...
RuleID : 14621 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat little endian object call...
RuleID : 14620 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat object call overflow attempt
RuleID : 14619 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat object call overflow attempt
RuleID : 14618 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat little endian overflow at...
RuleID : 14617 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP v4 mqqm QMObjectPathToObjectFormat overflow attempt
RuleID : 14616 - Revision : 5 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat little endian overflow at...
RuleID : 13215 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP v4 mqqm QMObjectPathToObjectFormat overflow attempt
RuleID : 13214 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP v4 mqqm QMObjectPathToObjectFormat little endian overflow...
RuleID : 13213 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt
RuleID : 13212 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt
RuleID : 13211 - Revision : 19 - Type : OS-WINDOWS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt
RuleID : 13210 - Revision : 19 - Type : OS-WINDOWS
2014-01-10 Microsoft Media Player asf streaming audio spread error correction data lengt...
RuleID : 13160 - Revision : 9 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Media Player asf streaming format audio error masking integer overf...
RuleID : 13159 - Revision : 8 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Media Player asf streaming format interchange data integer overflow...
RuleID : 13158 - Revision : 8 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows DirectX SAMI file CRawParser buffer overflow attempt
RuleID : 12983 - Revision : 17 - Type : FILE-MULTIMEDIA
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt
RuleID : 12982 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal little endian overflow attempt
RuleID : 12981 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP v4 mqqm QMCreateObjectInternal overflow attempt
RuleID : 12980 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCACN-IP-TCP v4 mqqm QMCreateObjectInternal little endian overflow att...
RuleID : 12979 - Revision : 9 - Type : NETBIOS
2014-01-10 DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt
RuleID : 12978 - Revision : 18 - Type : OS-WINDOWS
2014-01-10 DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt
RuleID : 12977 - Revision : 20 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows DirectX directshow wav file overflow attempt
RuleID : 12971 - Revision : 14 - Type : FILE-MULTIMEDIA
2014-01-10 Microsoft Windows SMB SMBv2 protocol negotiation attempt
RuleID : 12947 - Revision : 9 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt
RuleID : 12946 - Revision : 10 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2008-01-07 Name : It is possible to execute arbitrary code on the remote host.
File : smb_kb942624.nasl - Type : ACT_GATHER_INFO
2007-12-12 Name : Arbitrary code can be executed on the remote host.
File : msmqs_overflow2.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : It is possible to execute code on the remote host.
File : smb_nt_ms07-063.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : A vulnerability in DirectX could allow remote code execution.
File : smb_nt_ms07-064.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : Arbitrary code can be executed on the remote host.
File : smb_nt_ms07-065.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : A local user can elevate privileges on the remote host.
File : smb_nt_ms07-066.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : The remote Windows host contains a kernel driver that is prone to a local pri...
File : smb_nt_ms07-067.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : Arbitrary code can be executed on the remote host through the Media File Format.
File : smb_nt_ms07-068.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : Arbitrary code can be executed on the remote host through the web client.
File : smb_nt_ms07-069.nasl - Type : ACT_GATHER_INFO
2007-11-13 Name : The remote Windows host contains a kernel driver that is prone to a local pri...
File : macrovision_secdrv_priv_escalation.nasl - Type : ACT_GATHER_INFO