Описание
Microsoft XML Core Services Information Disclosure Vulnerability
An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.
To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.
The update addresses the vulnerability by changing the way MSXML handles objects in memory.
FAQ
Some versions of MSXML are included with Microsoft Windows; others are installed with non-operating system software from Microsoft or third-party providers. Some are also available as separate downloads. The following table shows which versions of MSXML are included with Windows and which are installed with the installation of additional Microsoft or third-party software.
| Operating System | MSXML 3.0 |
|---|---|
| Windows Vista | Shipped with operating system |
| Windows Server 2008 | Shipped with operating system |
| Windows 7 | Shipped with operating system |
| Windows Server 2008 R2 | Shipped with operating system |
| Windows 8.1 | Shipped with operating system |
| Windows Server 2012 and Windows Server 2012 R2 | Shipped with operating system |
| Window10 (all releases) | Shipped with operating system |
| Windows Server 2016 | Shipped with operating system |
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | ||
| Windows Server 2012 | ||
| Windows Server 2012 (Server Core installation) | ||
| Windows 8.1 for 32-bit systems | ||
| Windows 8.1 for x64-based systems | ||
| Windows Server 2012 R2 | ||
| Windows Server 2012 R2 (Server Core installation) | ||
| Microsoft XML Core Services 3.0 on Windows Server 2012 R2 | ||
| Microsoft XML Core Services 3.0 on Windows Server 2012 R2 (Server Core installation) | ||
| Microsoft XML Core Services 3.0 on Windows 8.1 for 32-bit systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka "Microsoft XML Information Disclosure Vulnerability."
Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka "Microsoft XML Information Disclosure Vulnerability."
Уязвимость операционной системы Windows, позволяющая нарушителю проверить файлы на диске
EPSS
4.3 Medium
CVSS3