<< Back
CVE Number Vulnerability Product Severity Date
MS07-016 Cumulative Security Update for Internet Explorer (928090) Microsoft Windows Critical 14-02-2007

Technical Information

Brief overview of the risk:
If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Detailed Information on the risk:
This bulletin covers three vulnerabilities in Microsoft Internet Explorer. The most critical problem is an FTP client vulnerability that can be exploited by a malformed response from a malicious server. It is easy to direct web browsers to an FTP URL on a malicious site, so this one should be taken seriously. The other two relate to the instantiation of COM objects in IE that were not designed to be instantiated in IE, and create exploitable memory corruption when run. A denial of service POC for one of these issues was posted publicly in August, but it only impacts systems that support Kanji. Other impacted objects are more common place. IE7 provides protection from the COM object vulnerabilities by default due to a new opt-in feature for ActiveX controls.Further information on this exploit is available at : MS07-016

Affected Software

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition