Microsoft Gadgets Multiple Vulnerabilities

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	08/14/2007
Severity:	Medium
Operating Systems Affected:	Windows Vista Windows Vista x64 Edition

Synopsis

A Multiple vulnerabilities exists in Windows Vista Feed Headlines Gadgets, Contacts Gadget and Weather Gadgets. This vulnerabilities could allow a remote anonymous attacker to run code with the privileges of the logged on user.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx

Threat Analysis

Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats all executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages.

A Multiple vulnerabilities exists in Windows Vista Feed Headlines Gadgets, Contacts Gadget and Weather Gadgets. The Gadget does not perform sufficient validation when parsing HTML attributes. This vulnerabilities could allow a remote anonymous attacker to run code with the privileges of the logged on user.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3033
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3032
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3891

Write-up by: Aditya Chaturvedi