Browser Security Test
Security testing
Scanit offers penetration tests, vulnerability assessments and web application audits.
Scanit offers penetration tests, vulnerability assessments and web application audits.
Learn ethical hacking.
Scanit offers 5-day training on ethical hacking.
Scanit offers 5-day training on ethical hacking.
XMLDOM substringData() heap overflow (CVE-2007-2223)
Description
XML Core Services (also known as MSXML) is a library for processing XML files. It can be used by web pages rendered by Internet Explorer. A bug in substringData() function makes Internet Explorer crash if certain values are used as substringData() arguments. This bug can be used to make Internet Explorer execute arbitrary code.This is an arbitrary code execution vulnerability. It means that it can be used to place a backdoor, a virus or spyware on a vulnerable computer.
Recommendations
If you are using Microsoft Windows we recommend using Windows Update to correct this problem. See also Microsoft Security Bulletin MS07-042 for information about the patch for this problem.If you are not using Microsoft Windows, this result is most probably a false positive. Try running the test for this vulnerability again. If your browser does not crash during the test for this vulnerability, it is not vulnerable.
References
- Microsoft Security Bulletin MS07-042 - Critical. Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow Vulnerability
- iDefence Public Advisory. Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability