Launch Printer Friendly Page Security TechCenter > > Microsoft Security Bulletin MS08-069

Microsoft Security Bulletin MS08-069 - Critical

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

Published: | Updated:

Version: 4.0

General Information

Executive Summary

This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Microsoft XML Core Services 3.0 and Important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0, and Microsoft XML Core Services 6.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that Microsoft XML Core Services parses XML content, handles external document type definitions (DTD), and sets HTTP request fields. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. Microsoft Knowledge Base Article 955218 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

SoftwareComponentMaximum Security ImpactAggregate Severity RatingBulletins Replaced by this Update
Windows 2000
Microsoft Windows 2000 Service Pack 4Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Microsoft Windows 2000 Service Pack 4Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantMS07-042
Microsoft Windows 2000 Service Pack 4Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantMS07-042
Windows XP
Windows XP Service Pack 2Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows XP Service Pack 3Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows XP Service Pack 2 and Windows XP Service Pack 3Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantMS07-042
Windows XP Service Pack 2Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantMS07-042
Windows XP Service Pack 3Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantNone
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantMS07-042
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantMS07-042
Windows Server 2003
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureLowMS07-042
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureLowMS07-042
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft XML Core Services 6.0
(KB954459)
Information DisclosureLowMS07-042
Windows Vista
Windows VistaMicrosoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows Vista Service Pack 1Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows Vista and Windows Vista Service Pack 1Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantMS07-042
Windows Vista Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantNone
Windows VistaMicrosoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantMS07-042
Windows Vista Service Pack 1Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantNone
Windows Vista x64 EditionMicrosoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalMS07-042
Windows Vista x64 Edition Service Pack 1Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantMS07-042
Windows Vista x64 Edition Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantNone
Windows Vista x64 EditionMicrosoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantMS07-042
Windows Vista x64 Edition Service Pack 1Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureImportantNone
Windows Server 2008
Windows Server 2008 for 32-bit Systems*Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows Server 2008 for 32-bit Systems*Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2008 for 32-bit Systems Service Pack 2*Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowNone
Windows Server 2008 for 32-bit Systems*Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureLowNone
Windows Server 2008 for x64-based Systems*Microsoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows Server 2008 for x64-based Systems*Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2008 for x64-based Systems Service Pack 2*Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowNone
Windows Server 2008 for x64-based Systems*Microsoft XML Core Services 6.0
(KB954459)
Information DisclosureLowNone
Windows Server 2008 for Itanium-based SystemsMicrosoft XML Core Services 3.0
(KB955069)
Remote Code ExecutionCriticalNone
Windows Server 2008 for Itanium-based SystemsMicrosoft XML Core Services 4.0
(KB954430)
Information DisclosureLowMS07-042
Windows Server 2008 for Itanium-based Systems Service Pack 2Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowNone
Windows Server 2008 for Itanium-based SystemsMicrosoft XML Core Services 6.0
(KB954459)
Information DisclosureLowNone
Windows 7
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantNone
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureImportantNone
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowNone
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Microsoft XML Core Services 4.0
(KB954430)
Information DisclosureLowNone
Microsoft Office
Microsoft Office 2003 Service Pack 3Microsoft XML Core Services 5.0
(KB951535)
Information DisclosureImportantNone
Microsoft Word Viewer 2003 Service Pack 3Microsoft XML Core Services 5.0
(KB951535)
Information DisclosureImportantNone
2007 Microsoft Office SystemMicrosoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantMS07-042
2007 Microsoft Office System Service Pack 1Microsoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantNone
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File FormatsMicrosoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantMS07-042
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1Microsoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantNone
Microsoft Expression WebMicrosoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantMS07-042
Microsoft Expression Web 2Microsoft XML Core Services 5.0
(KB951550)
Information DisclosureImportantNone
Microsoft Office SharePoint Server 2007 (32-bit editions)Microsoft XML Core Services 5.0
(KB951597)
Information DisclosureImportantMS07-042
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)Microsoft XML Core Services 5.0
(KB951597)
Information DisclosureImportantNone
Microsoft Office SharePoint Server 2007 and Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)Microsoft XML Core Services 5.0
(KB951597)
Information DisclosureImportantNone
Microsoft Office Groove Server 2007Microsoft XML Core Services 5.0
(KB951597)
Information DisclosureImportantMS07-042

*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

Non-Affected Software

Software
Microsoft XML Core Services 3.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2
Microsoft XML Core Services 3.0 on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2
Microsoft XML Core Services 6.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2
Microsoft XML Core Services 6.0 on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office SharePoint Portal Server 2001 Service Pack 3
Microsoft Office SharePoint Portal Server 2003 Service Pack 3
Microsoft Excel Viewer 2003 Service Pack 3

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

MSXML Memory Corruption Vulnerability - CVE-2007-0099

MSXML DTD Cross-Domain Scripting Vulnerability - CVE-2008-4029

MSXML Header Request Vulnerability - CVE-2008-4033

Update Information

Detection and Deployment Tools and Guidance

Security Update Deployment

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Gregory Fleischer for reporting the MSXML DTD Cross-Domain Scripting Vulnerability (CVE-2008-4029)
  • Stefano Di Paola of Minded Security for reporting the MSXML Header Request Vulnerability (CVE-2008-4033)
  • Robert Hansen of SecTheory for reporting the additional HTTP-only defense-in-depth issue

Support

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 11, 2008): Bulletin published.
  • V1.1 (December 10, 2008): Removed the kill bit workaround from Workarounds for MSXML DTD Cross-Domain Scripting Vulnerability - CVE-2008-4029. Also added a note to the Supported Security Update Installation Switches tables clarifying that the /overwriteoem installation switch is not applicable for Microsoft XML Core Services 4.0 or Microsoft XML Core Services 6.0 when installed on Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 1, or Windows Server 2003 Service Pack 2.
  • V1.2 (December 17, 2008): Added log file entries in the Security Update Deployment section Reference table for Microsoft XML Core Services 6.0 when installed on Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition, and Windows Server 2003 x64 Edition Service Pack 2.
  • V2.0 (April 29, 2009): Added Microsoft XML Core Services 4.0 (KB954430) on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2 as affected software. Also added as non-affected software: Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB954430 do not need to reinstall.
  • V3.0 (October 13, 2009): Added Microsoft XML Core Services 4.0 (KB954430) when installed on 32-bit and x64-based editions of Windows 7 and on x64-based and Itanium-based editions of Windows Server 2008 R2 as affected software. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB954430 do not need to reinstall.
  • V4.0 (July 12, 2011): Added Microsoft XML Core Services 4.0 (KB954430) when installed on 32-bit and x64-based editions of Windows 7 Service Pack 1 and on x64-based and Itanium-based editions of Windows Server 2008 R2 Service Pack 1 as affected software. This is a detection change only; there were no changes to the binaries. The latest MBSA and SMS support this rerelease. Customers who have already successfully installed KB954430 do not need to reinstall.