CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.2%
Microsoft Windows fails to properly handle protocols specified in a URI, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
A Uniform Resource Identifier (URI) is a string of characters that can be used to identify a location, resource, or protocol. Microsoft Windows will parse a URI to determine the appropriate application that is registered to handle the protocol. More information about how Windows accomplishes this is available in Microsoft Knowledge Base article 224816. Several types of Windows applications, such as web browsers and email clients, may rely on Microsoft Windows to determine the proper application to handle a specified URI.
Internet Explorer 7 has changed how Microsoft Windows parses URIs. This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. This flaw appears to rely on having a β%β character in the URI.
Publicly available exploit code uses Mozilla Firefox as an attack vector for this vulnerability. For more information, including workarounds, please see VU#783400.
Microsoft Windows may incorrectly determine the appropriate application to handle a protocol. For example, a βsafeβ protocol such as mailto:
may be incorrectly handled with an βunsafeβ application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands.
Apply an update
This issue is addressed in Microsoft Security Bulletin MS07-061. This update provides a newer version of Shell32.dll
, which performs additional validation of URIs.
403150
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: October 11, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: November 13, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
This issue is addressed in Microsoft Security Bulletin MS07-061. This update provides a newer version of Shell32.dll
.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403150 Feedback>).
Updated: October 11, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly disclosed by Billy Rios.
This document was written by Will Dormann.
CVE IDs: | CVE-2007-3896 |
---|---|
Severity Metric: | 18.43 Date Public: |
blogs.technet.com/msrc/archive/2007/10/25/msrc-blog-october-25th-update-to-security-advisory-943521.aspx
en.wikipedia.org/wiki/Uniform_Resource_Identifier
kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
secunia.com/advisories/26201/
support.microsoft.com/kb/224816
www.adobe.com/support/security/advisories/apsa07-04.html
www.adobe.com/support/security/bulletins/apsb07-18.html
www.microsoft.com/technet/security/advisory/943521.mspx
www.microsoft.com/technet/security/bulletin/ms07-061.mspx
xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
xs-sniper.com/blog/remote-command-exec-firefox-2005/
bugzilla.mozilla.org/show_bug.cgi?id=389580