Launch Printer Friendly Page Security TechCenter > > Microsoft Security Bulletin MS07-039

Microsoft Security Bulletin MS07-039 - Critical

Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)

Published: | Updated:

Version: 1.1

General Information

Executive Summary

This critical security update resolves a privately reported vulnerability in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition. Attacks attempting to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible. On Windows Server 2003 an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

This is a critical security update for supported editions of Windows 2000 and an important security update for supported editions of Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by validating the number of convertible attributes in the client LDAP request. For more information about the vulnerability, see the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None.

Affected and Non-Affected Software

The following software have been tested to determine which editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating SystemMaximum Security ImpactAggregate Severity RatingBulletins Replaced by This Update
Microsoft Windows 2000 Server Service Pack 4Remote Code ExecutionCriticalNone
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2Remote Code ExecutionImportantNone
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2Remote Code ExecutionImportantNone
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based SystemsRemote Code ExecutionImportantNone

Non-Affected Software

Operating System
Windows 2000 Professional Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition
Active Directory Application Mode (ADAM) Service Pack 1

Note: These editions of Windows are not affected because they do not include the Active Directory server component.

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Windows Active Directory Remote Code Execution Vulnerability- CVE-2007-0040

Windows Active Directory Denial of Service Vulnerability- CVE-2007-3028

Update Information

Detection and Deployment Tools and Guidance

Security Update Deployment

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Peter Winter-Smith of NGSSoftware, for reporting the Windows Active Directory Denial of Service Vulnerability-CVE-2007-3028.
  • Neel Mehta of IBM Internet Security Systems x-Force, for reporting the Windows Active Directory Remote Code Execution Vulnerability-CVE-2007-0040.

Support

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 10, 2007): Bulletin published.

    V1.1 (July 12, 2007): Bulletin Revised: Updating bulletin to add FAQ section for ADAM dependencies and deployment to all 2000 and 2003 systems.