漏洞起因
设计错误
危险等级
中
影响系统
Microsoft XML Core Services 3.0
不受影响系统
危害
远程攻击者可以利用漏洞对服务进行拒绝服务攻击。
攻击所需条件
攻击者必须访问Microsoft XML Core Services。
漏洞信息
Microsoft XML Core Services(MSXML)允许使用JScript、VBScript和Visual Studio 6.0的用户开发基于XML的应用,以与其他遵循XML 1.0标准的应用程序交互操作。
Windows XP (msxml3.dll版本8.100.1051.0, MSXML 3.0 SP10)处理"Msxml2.XMLHTTP.3.0" ActiveX对象的HTTP应答内存破坏。在windows vista(msxml3.dll version 8.100.5002.0, MSXML 3.0 SP10)中的相同对象不受此漏洞影响。
当服务器发送类似"HTTP 4\n"的非法应答给使用此对象提交的XMLHttp请求时可触发内存破坏。
测试方法
http://www.securityfocus.com/data/vulnerabilities/exploits/42300.py
厂商解决方案
用户可参考如下供应商提供的安全补丁:
Microsoft XML Core Services 3.0
Microsoft Security Update for Windows Vista for x64-based Systems (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=577131CD-1229 -4746-89D7-84D75F29E1F0
Microsoft Security Update for Windows Server 2003 (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=31CE233E-4D2D -404B-84A8-683319BA8EF7
Microsoft Security Update for Windows Server 2008 R2 for Itanium-based Systems (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=B4D3210E-F3AD -4DBB-9390-6E98EEB99EAA
Microsoft Security Update for Windows 7 for x64-based Systems (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=A4F6D7C2-B475 -4900-82F0-75F5BE0B7B63
Microsoft Security Update for Windows Server 2003 for Itanium-based Systems (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=D87AC8B3-41FB -4CDD-B305-181A0024D85C
Microsoft Security Update for Windows Server 2008 R2 x64 Edition (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=A48CDAC5-4D78 -49B5-A6D8-ECF6C58CACE2
Microsoft Security Update for Windows Server 2008 x64 Edition (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=43ECE408-4AA7 -4819-B3F6-7F0719ED3213
Microsoft Security Update for Windows XP x64 Edition (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=4D4E8EEB-A0B2 -41C6-9EE4-3F4BEB44195E
Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=B6FAEE94-E821 -432D-BFA2-9008664566AF
Microsoft Security Update for Windows 7 (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=31D0F5AC-2CFF -42A1-8F18-128BBFC4E57D
Microsoft Security Update for Windows Server 2003 x64 Edition (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=4D784B57-8564 -4E7E-8F61-F897398E7EA5
Microsoft Security Update for Windows XP (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=DBDBBE5E-2EF9 -4704-80C4-27EF28FD95EF
Microsoft Security Update for Windows Vista (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=BBFAADF8-AB38 -456C-956A-EA18C64236C9
Microsoft Security Update for Windows Server 2008 (KB2079403)
http://www.microsoft.com/downloads/details.aspx?familyid=73B5F45C-C9D6 -491F-8483-98838B2A7C04
漏洞提供者
Microsoft, SkyLined of Google Inc.
0 条评论。