Technical Information

Brief overview of the risk:
If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Detailed Information on the risk:
This bulletin covers three vulnerabilities in Microsoft Internet Explorer. The most critical problem is an FTP client vulnerability that can be exploited by a malformed response from a malicious server. It is easy to direct web browsers to an FTP URL on a malicious site, so this one should be taken seriously. The other two relate to the instantiation of COM objects in IE that were not designed to be instantiated in IE, and create exploitable memory corruption when run. A denial of service POC for one of these issues was posted publicly in August, but it only impacts systems that support Kanji. Other impacted objects are more common place. IE7 provides protection from the COM object vulnerabilities by default due to a new opt-in feature for ActiveX controls.Further information on this exploit is available at : MS07-016