int(3497)

Vulnerability Bulletins

Ejecución de programas en Internet Explorer

Vulnerability classification
Property Value
Confidence level Oficial
Impact Obtener acceso
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information
Property Value
Affected manufacturer Microsoft
Affected software Windows XP SP2
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1
Windows Server 2003 SP2
Windows Server 2003 x64 Edition
Windows 2003 Server x64 Edition SP2
Windows Server 2003 SP1 for Itanium
Windows Server 2003 SP2 for Itanium

Description
Se ha encontrado una vulnerabilidad en Internet Explorer 7 en sistemas con Windows XP y Windows Server 2003. La vulnerabilidad reside en un error en el manejo de URL.

Un atacante remoto podría ejecutar programas de forma arbitraria mediante secuencias inválidas de "%" en mailto: u otro manipulador URI.

Solution


Actualización de software

Microsoft
Windows XP Service Pack 2 / patch Windowsxp-kb943460-x86-enu
Windows XP Professional x64 Edition and x64 Edition Service Pack 2 / patch WindowsServer2003.WindowsXP-kb943460-x64-enu
Windows Server 2003 / patch WindowsServer2003-KB943460-x86-enu
Windows Server 2003 Itanium-based editions / patch WindowsServer2003-KB943460-ia64-enu
Windows Server 2003 x64-based editions / patch WindowsServer2003.WindowsXP-KB943460-x64-enu

Standar resources
Property Value
CVE CVE-2007-3896
BID 25945

Other resources
Microsoft Security Advisory (943521)
http://www.microsoft.com/technet/security/advisory/943521.mspx

Microsoft Security Bulletin MS07-061
http://www.microsoft.com/technet/security/bulletin/MS07-061.mspx

Version history
Version Comments Date
1.0 Aviso emitido 2007-10-16
1.1 Aviso emitido por Microsoft (MS07-061) 2007-11-14
Ministerio de Defensa
CNI
CCN
CCN-CERT