BID:23772

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

Info

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

Bugtraq ID:	23772
Class:	Unknown
CVE:	CVE-2007-0947
Remote:	Yes
Local:	No
Published:	May 08 2007 12:00AM
Updated:	May 17 2007 09:38PM
Credit:	JJ Reyes of Secunia Research is credited with the discovery of this vulnerability.
Vulnerable:	Nortel Networks Contact Center Web Client Nortel Networks Contact Center Multimedia Nortel Networks Contact Center Manager Server 0 Nortel Networks Contact Center Manager Nortel Networks Contact Center Express Nortel Networks Contact Center Administration 0 Nortel Networks Contact Center - Symposium Agent 0 Nortel Networks Contact Center Nortel Networks Centrex IP Client Manager Nortel Networks CallPilot 703t Nortel Networks CallPilot 702t Nortel Networks CallPilot 201i Nortel Networks CallPilot 200i Nortel Networks CallPilot 1002rp Microsoft Internet Explorer 7.0.5730 .11 Microsoft Internet Explorer 7.0 beta3 Microsoft Internet Explorer 7.0 beta2 Microsoft Internet Explorer 7.0 beta1 Microsoft Internet Explorer 7.0 + Microsoft Windows Server 2003 Sp2 X64 + Microsoft Windows Server 2003 Sp2 X64 + Microsoft Windows Server 2003 SP2 + Microsoft Windows Server 2003 SP2 + Microsoft Windows Server 2003 SP2 + Microsoft Windows Server 2003 Sp1 X64 + Microsoft Windows Server 2003 Sp1 X64 + Microsoft Windows Server 2003 SP1 + Microsoft Windows Server 2003 SP1 + Microsoft Windows Server 2003 Itanium SP2 + Microsoft Windows Server 2003 Itanium SP2 + Microsoft Windows Server 2003 Itanium SP2 + Microsoft Windows Server 2003 Itanium SP1 + Microsoft Windows Server 2003 Itanium SP1 + Microsoft Windows Server 2003 Itanium 0 + Microsoft Windows Server 2003 Itanium 0 + Microsoft Windows Server 2003 x64 SP2 + Microsoft Windows Server 2003 x64 SP2 + Microsoft Windows Server 2003 x64 SP2 + Microsoft Windows Server 2008 for 32-bit Systems SP2 + Microsoft Windows Server 2008 for 32-bit Systems SP2 + Microsoft Windows Server 2008 for 32-bit Systems SP2 + Microsoft Windows Server 2008 for 32-bit Systems 0 + Microsoft Windows Server 2008 for 32-bit Systems 0 + Microsoft Windows Server 2008 for 32-bit Systems 0 + Microsoft Windows Server 2008 for Itanium-based Systems SP2 + Microsoft Windows Server 2008 for Itanium-based Systems SP2 + Microsoft Windows Server 2008 for Itanium-based Systems SP2 + Microsoft Windows Server 2008 for Itanium-based Systems 0 + Microsoft Windows Server 2008 for Itanium-based Systems 0 + Microsoft Windows Server 2008 for Itanium-based Systems 0 + Microsoft Windows Server 2008 for x64-based Systems SP2 + Microsoft Windows Server 2008 for x64-based Systems SP2 + Microsoft Windows Server 2008 for x64-based Systems SP2 + Microsoft Windows Server 2008 for x64-based Systems R2 + Microsoft Windows Server 2008 for x64-based Systems R2 + Microsoft Windows Server 2008 for x64-based Systems 0 + Microsoft Windows Server 2008 for x64-based Systems 0 + Microsoft Windows Server 2008 for x64-based Systems 0 + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista SP2 + Microsoft Windows Vista SP2 + Microsoft Windows Vista SP2 + Microsoft Windows Vista SP1 + Microsoft Windows Vista SP1 + Microsoft Windows Vista SP1 + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista Enterprise 64-bit edition SP2 + Microsoft Windows Vista Enterprise 64-bit edition SP2 + Microsoft Windows Vista Enterprise 64-bit edition SP1 + Microsoft Windows Vista Enterprise 64-bit edition SP1 + Microsoft Windows Vista Enterprise 64-bit edition 0 + Microsoft Windows Vista Enterprise 64-bit edition 0 + Microsoft Windows Vista Home Basic 64-bit edition Sp1 X64 + Microsoft Windows Vista Home Basic 64-bit edition Sp1 X64 + Microsoft Windows Vista Home Basic 64-bit edition SP1 + Microsoft Windows Vista Home Basic 64-bit edition SP1 + Microsoft Windows Vista Home Basic 64-bit edition 0 + Microsoft Windows Vista Home Basic 64-bit edition 0 + Microsoft Windows Vista Home Premium 64-bit edition SP2 + Microsoft Windows Vista Home Premium 64-bit edition SP2 + Microsoft Windows Vista Home Premium 64-bit edition SP1 + Microsoft Windows Vista Home Premium 64-bit edition SP1 + Microsoft Windows Vista Home Premium 64-bit edition 0 + Microsoft Windows Vista Home Premium 64-bit edition 0 + Microsoft Windows Vista x64 Edition SP2 + Microsoft Windows Vista x64 Edition SP2 + Microsoft Windows Vista x64 Edition SP2 + Microsoft Windows Vista x64 Edition SP1 + Microsoft Windows Vista x64 Edition SP1 + Microsoft Windows Vista x64 Edition SP1 + Microsoft Windows Vista x64 Edition 0 + Microsoft Windows Vista x64 Edition 0 + Microsoft Windows Vista x64 Edition 0 + Microsoft Windows Vista x64 Edition Service Pack 2 0 + Microsoft Windows XP 0 + Microsoft Windows XP 0 + Microsoft Windows XP Embedded SP3 + Microsoft Windows XP Embedded SP3 + Microsoft Windows XP Embedded SP3 + Microsoft Windows XP Home SP3 + Microsoft Windows XP Home SP3 + Microsoft Windows XP Home SP3 + Microsoft Windows XP Home SP2 + Microsoft Windows XP Home SP2 + Microsoft Windows XP Home SP1 + Microsoft Windows XP Home SP1 + Microsoft Windows XP Media Center Edition SP3 + Microsoft Windows XP Media Center Edition SP3 + Microsoft Windows XP Media Center Edition SP3 + Microsoft Windows XP Professional SP3 + Microsoft Windows XP Professional SP3 + Microsoft Windows XP Professional SP3 + Microsoft Windows XP Professional SP2 + Microsoft Windows XP Professional SP2 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional + Microsoft Windows XP Professional + Microsoft Windows XP Professional x64 Edition SP3 + Microsoft Windows XP Professional x64 Edition SP3 + Microsoft Windows XP Professional x64 Edition SP2 + Microsoft Windows XP Professional x64 Edition SP2 + Microsoft Windows XP Professional x64 Edition SP2 + Microsoft Windows XP Professional x64 Edition + Microsoft Windows XP Professional x64 Edition + Microsoft Windows XP Service Pack 3 0 + Microsoft Windows XP Service Pack 3 0 + Microsoft Windows XP Tablet PC Edition SP3 + Microsoft Windows XP Tablet PC Edition SP3 + Microsoft Windows XP Tablet PC Edition SP3 HP Storage Management Appliance 2.1 + HP Storage Management Appliance III + HP Storage Management Appliance II + HP Storage Management Appliance I Avaya Web Messenger 0 Avaya VPNmanagerTM Console 0 Avaya Visual Vector Client 0 Avaya Visual Messenger TM 0 Avaya Unified Messenger (r) 0 Avaya Unified Communications Center S3400 Avaya Unified Communication Center Avaya Speech Access 0 Avaya Outbound Contact Management 0 Avaya Operational Analyst 0 Avaya OctelDesignerTM 0 Avaya OctelAccess(r) Server 0 Avaya Network Reporting 0 Avaya Modular Messaging (MSS) 2.0 SP4 Avaya Modular Messaging (MSS) 2.0 Avaya Modular Messaging (MSS) 1.1 Avaya Modular Messaging (MAS) 3.0 Avaya Modular Messaging (MAS) Avaya Modular Messaging S3400 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server 0 Avaya IP Softphone 0 Avaya IP Agent 0 Avaya Interaction Center - Voice Quick Start 0 Avaya Interaction Center 0 Avaya Integrated Management 2.1 Avaya Integrated Management Avaya Enterprise Management 0 Avaya CVLAN Avaya Contact Center Express 0 Avaya Computer Telephony 0 Avaya CMS Supervisor 0 Avaya CIE 1.0 Avaya Basic Call Management System Reporting Desktop server Avaya Basic Call Management System Reporting Desktop 0 Avaya Agent Access 0

Not Vulnerable:

Discussion

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

This vulnerability is related to how the browser handles script errors in certain situations. An attacker could exploit this issue to execute arbitrary code in the context of the user running the affected browser.

This issue affects Internet Explorer 7 running on Windows XP SP2, Windows Server 2003 SP1 and SP2, and on Windows Vista.

Exploit / POC

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

An attacker may exploit this issue by enticing a victim user into viewing a malicious webpage.

Solution / Fix

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

Solution:
Microsoft released security bulletin MS07-027 with fixes to address this issue. Please see the references for more information.

Microsoft Internet Explorer 7.0 beta1

Microsoft Cumulative Update for Internet Explorer 7 for Windows Server 2003 (KB931768)
Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=0F173D60-6FD0 -4C92-BB2A-A7A78707E35F&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 for Windows Server 2003 64-bit Itanium Edition (KB931768)
Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
http://www.microsoft.com/downloads/details.aspx?familyid=1944BCFA-B0BC -4BD5-9089-A618EA43EA49&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB931768)
ows Internet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 1 and Windows Server 2003 x64 Edition Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=404A48A2-5765 -4AFA-94BF-E97212AA14EF&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 for Windows XP Service Pack 2 (KB931768)
Windows Internet Explorer 7 for Windows XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=7A778D93-9D85 -4217-8CC0-5C494D954CA0&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 for Windows XP x64 Edition (KB931768)
Windows Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=29938ED4-F8BB -4793-897C-966BA7F4830C&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 in Windows Vista (KB931768)
Windows Internet Explorer 7 in Windows Vista
http://www.microsoft.com/downloads/details.aspx?familyid=0C65FAD3-BAAE -46C4-B453-84CF28B15F50&displaylang=en

Microsoft Cumulative Update for Internet Explorer 7 in Windows Vista x64 Edition (KB931768)
Windows Internet Explorer 7 in Windows Vista x64 Edition
http://www.microsoft.com/downloads/details.aspx?familyid=74AFEA3D-79DF -4B64-BF30-B8E5C55CAB2B&displaylang=en

References

Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability

References:

Microsoft Homepage (Microsoft)
Microsoft Internet Explorer Homepage (Microsoft)
Secunia Research: Internet Explorer HTML Objects Memory Corruption Vulnerability (Secunia)
2007007972: Nortel Response to Microsoft Security Bulletin MS07-027 (Nortel Networks)
ASA-2007-182 MS07-027 Cumulative Security Update for Internet Explorer (931768) (Avaya)
Microsoft Security Bulletin MS07-027 (Microsoft)
Secunia Research: Internet Explorer HTML Objects Memory Corruption Vulnerability (Secunia)