OpenCVE

Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Internet Explorer Xml Core Services

Configuration 1 [-]

AND

cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*

cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html
http://isc.sans.org/diary.php?storyid=2004
http://marc.info/?l=bugtraq&m=122703006921213&w=2
http://osvdb.org/32627
http://seclists.org/fulldisclosure/2007/Jan/0110.html
http://secunia.com/advisories/23655
http://securitytracker.com/id?1021164
http://www.securityfocus.com/archive/1/455965/100/0/threaded
http://www.securityfocus.com/archive/1/455986/100/0/threaded
http://www.securityfocus.com/archive/1/456343/100/0/threaded
http://www.securityfocus.com/bid/21872
http://www.us-cert.gov/cas/techalerts/TA08-316A.html
http://www.vupen.com/english/advisories/2008/3111
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-01-08T20:00:00

Updated: 2024-08-07T12:03:37.134Z

Reserved: 2007-01-08T00:00:00

Link: CVE-2007-0099

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-01-08T20:28:00.000

Modified: 2024-11-21T00:24:58.047

Link: CVE-2007-0099

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-01-04T00:00:00", "descriptions": [{"lang": "en", "value": "Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka \"MSXML Memory Corruption Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SSRT080164", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "32627", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/32627"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2007/Jan/0110.html"}, {"name": "TA08-316A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-316A.html"}, {"name": "21872", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/21872"}, {"tags": ["x_refsource_MISC"], "url": "http://isc.sans.org/diary.php?storyid=2004"}, {"name": "23655", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23655"}, {"name": "HPSBST02386", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html"}, {"name": "ADV-2008-3111", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/3111"}, {"name": "MS08-069", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069"}, {"name": "20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/455986/100/0/threaded"}, {"name": "1021164", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1021164"}, {"name": "oval:org.mitre.oval:def:5793", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/455965/100/0/threaded"}, {"name": "20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/456343/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-0099", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka \"MSXML Memory Corruption Vulnerability.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SSRT080164", "refsource": "HP", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "32627", "refsource": "OSVDB", "url": "http://osvdb.org/32627"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2007/Jan/0110.html"}, {"name": "TA08-316A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA08-316A.html"}, {"name": "21872", "refsource": "BID", "url": "http://www.securityfocus.com/bid/21872"}, {"name": "http://isc.sans.org/diary.php?storyid=2004", "refsource": "MISC", "url": "http://isc.sans.org/diary.php?storyid=2004"}, {"name": "23655", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23655"}, {"name": "HPSBST02386", "refsource": "HP", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html"}, {"name": "ADV-2008-3111", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/3111"}, {"name": "MS08-069", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069"}, {"name": "20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/455986/100/0/threaded"}, {"name": "1021164", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1021164"}, {"name": "oval:org.mitre.oval:def:5793", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/455965/100/0/threaded"}, {"name": "20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/456343/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T12:03:37.134Z"}, "title": "CVE Program Container", "references": [{"name": "SSRT080164", "tags": ["vendor-advisory", "x_refsource_HP", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "32627", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/32627"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2007/Jan/0110.html"}, {"name": "TA08-316A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-316A.html"}, {"name": "21872", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/21872"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://isc.sans.org/diary.php?storyid=2004"}, {"name": "23655", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23655"}, {"name": "HPSBST02386", "tags": ["vendor-advisory", "x_refsource_HP", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"name": "20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html"}, {"name": "ADV-2008-3111", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/3111"}, {"name": "MS08-069", "tags": ["vendor-advisory", "x_refsource_MS", "x_transferred"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069"}, {"name": "20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/455986/100/0/threaded"}, {"name": "1021164", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1021164"}, {"name": "oval:org.mitre.oval:def:5793", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793"}, {"name": "20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/455965/100/0/threaded"}, {"name": "20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/456343/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-0099", "datePublished": "2007-01-08T20:00:00", "dateReserved": "2007-01-08T00:00:00", "dateUpdated": "2024-08-07T12:03:37.134Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "73052210-0B42-46AA-9F28-AAE3E9B6DE87", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "matchCriteriaId": "693D3C1C-E3E4-49DB-9A13-44ADDFF82507", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka \"MSXML Memory Corruption Vulnerability.\""}, {"lang": "es", "value": "Una condici\u00f3n de carrera en el m\u00f3dulo msxml3 de Microsoft XML Core Services versi\u00f3n 3.0, tal como es usado en Internet Explorer versi\u00f3n 6 y otras aplicaciones, permite a los atacantes remotos ejecutar c\u00f3digo arbitrario o causar una denegaci\u00f3n de servicio (bloqueo de aplicaci\u00f3n) por medio de muchas etiquetas anidadas en un documento XML en un IFRAME, cuando la representaci\u00f3n de documentos sincr\u00f3nicos se interrumpe con frecuencia con eventos asincr\u00f3nicos, como es demostrado mediante un temporizador de JavaScript, que puede desencadenar una desreferencia de puntero NULL o corrupci\u00f3n de memoria, tambi\u00e9n se conoce como \"MSXML Memory Corruption Vulnerability\"."}], "id": "CVE-2007-0099", "lastModified": "2024-11-21T00:24:58.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2007-01-08T20:28:00.000", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html"}, {"source": "cve@mitre.org", "url": "http://isc.sans.org/diary.php?storyid=2004"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/32627"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2007/Jan/0110.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23655"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1021164"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/455965/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/455986/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/456343/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/21872"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-316A.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/3111"}, {"source": "cve@mitre.org", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0113.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://isc.sans.org/diary.php?storyid=2004"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=122703006921213&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/32627"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2007/Jan/0110.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23655"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1021164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/455965/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/455986/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/456343/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/21872"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-316A.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/3111"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5793"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}