1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Security Threats
  3. Vulnerability Reports
  4. SA201006491

Microsoft XML Core Services Vulnerability

Report ID: SA201006491
Source: F-Secure
Date of Discovery: 10.08.2010
Criticality: Critical
Affects:
Microsoft XML Core Services 3.0
Compromise From: From remote
Compromise Type: Remote code execution

Summary

A vulnerability in Microsoft XML Core Services 3.0 could allow a remote attacker to execute arbitrary code and take control of an affected system.

Detailed Description

A vulnerability in Microsoft XML Core Services 3.0, caused by a bug when MSXML handle HTTP responses, may corrupt the system state which renders it vulnerable to an attack. Through a maliciously crafted website that invokes MSXML, an attacker could exploit the vulnerability to run arbitrary code and gain system access.

 

Solution

Install the latest update for applicable system.

Windows XP

  • Windows XP Service Pack 3 - Microsoft XML Core Services 3.0
  • Windows XP Professional x64 Edition Service Pack 2 - Microsoft XML Core Services 3.0
 

Windows Server 2003

  • Windows Server 2003 Service Pack 2 - Microsoft XML Core Services 3.0
  • Windows Server 2003 x64 Edition Service Pack 2 - Microsoft XML Core Services 3.0
  • Windows Server 2003 with SP2 for Itanium-based Systems - Microsoft XML Core Services 3.0
 

Windows Vista

  • Windows Vista Service Pack 1 - Microsoft XML Core Services 3.0
  • Windows Vista Service Pack 2 - Microsoft XML Core Services 3.0
  • Windows Vista x64 Edition Service Pack 1 - Microsoft XML Core Services 3.0
  • Windows Vista x64 Edition Service Pack 2 - Microsoft XML Core Services 3.0
 

Windows Server

  • Windows Server 2008 for 32-bit Systems* - Microsoft XML Core Services 3.0
  • Windows Server 2008 for 32-bit Systems Service Pack 2* - Microsoft XML Core Services 3.0
  • Windows Server 2008 for x64-based Systems* - Microsoft XML Core Services 3.0
  • Windows Server 2008 for x64-based Systems Service Pack 2* - Microsoft XML Core Services 3.0
  • Windows Server 2008 for Itanium-based Systems - Microsoft XML Core Services 3.0
 

Windows 7

  • Windows 7 for 32-bit Systems - Microsoft XML Core Services 3.0
  • Windows 7 for x64-based Systems - Microsoft XML Core Services 3.0
 

Windows Server 2008 R2

  • Windows Server 2008 R2 for x64-based Systems* - Microsoft XML Core Services 3.0
  • Windows Server 2008 R2 for Itanium-based Systems - Microsoft XML Core Services 3.0
 

*Server Core installation affected.

 

Original Reference

CVE Reference

CVE-2010-2561