Vulnerability in Windows URI Handling Could Allow Remote Code Execution (MS07-061)
14 Nov. 2007
Summary
A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. An attacker could exploit this vulnerability by including a specially crafted URI in an application or attachment, which could potentially allow remote code execution.
Affected Software:
* Windows XP Service Pack 2
* Windows XP Professional x64 Edition
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition
* Windows 2003 Server x64 Edition Service Pack 2
* Windows Server 2003 with SP1 for Itanium-based Systems
* Windows Server 2003 with SP2 for Itanium based Systems
Non-Affected Software:
* Microsoft Windows 2000 Service Pack 4
* Windows Vista
* Windows Vista x64
Mitigating Factors for Windows URI Handling Vulnerability:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
* Windows 2000 Service Pack 4 is not affected
* Windows Vista is not affected
* Windows Vista x64 Edition is not affected
* Microsoft has not identified a way to exploit this vulnerability on any Windows operating system that is running Internet Explorer 6
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. To be more at risk from this vulnerability, users would have to either click on a link that would take them to a malicious Web site or open an attachment.
FAQ for Windows URI Handling Vulnerability: What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
The Windows shell insufficiently handles invalid URIs.
What is a URI?
A Uniform Resource Identifier (URI) is a string of characters used to act on or identify resources from the Internet or over a network. A URL is a typical example of a URI that references a resource such as a Web site. For more information about URIs, see RFC 2396.
What might an attacker use the vulnerability to do?
An attacker who has convinced a user to open an attachment in mail or to follow a link to an attacker's Web site could run arbitrary code as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker would have to create a specially crafted URI and provide the URI as input to an application on an affected system, which would then attempt to access the resource referred to it by the URI. Applications that take URIs as input from untrusted sources such as attachments in e-mail, documents, or data from the network assuming it will be safe, are exposed to this vulnerability. Under specific circumstances, processing specially crafted URI input could allow arbitrary code to be executed. In order to exploit the vulnerability, an attacker would have to convince the user to launch the attachment or application, or visit the Web site. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This vulnerability might also be exploited by compromised Web sites or Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted URIs that could exploit this vulnerability. It could also be possible to display specially crafted URIs by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
Systems running supported editions of Windows XP and Windows Server 2003 with Internet Explorer 7 installed are vulnerable.
What does the update do?
The update removes the vulnerability by changing the way that the Windows shell handles invalid URIs.
I do not have Windows Internet Explorer 7 installed. Why am I receiving this update?
The vulnerability exists in a Windows file, Shell32.dll, included in supported editions of Windows XP and Windows Server 2003. Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6, which is the browser that is included with these operating systems. As a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed.
I am using Windows Vista, am I at risk from this vulnerability?
No. Windows Vista is not affected by this vulnerability. Windows Internet Explorer 7 is included with Windows Vista but the Windows shell in Windows Vista is not affected by this vulnerability.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability had been publicly disclosed when this security bulletin was originally issued. It has been assigned the Common Vulnerability and Exposure number CVE-2007-3896. This vulnerability was first described in Microsoft Security Advisory 943521.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.
Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2007-3896.