===================================================================== CERT-Renater Note d'Information No. 2006/VULN442 _____________________________________________________________________ DATE : 09/08/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Microsoft Windows XP et 2003 ====================================================================== MS06-043 - Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214) - Affected Software: - Microsoft Windows XP Service Pack 2 - Microsoft Windows XP Professional x64 Edition - Microsoft Windows Server 2003 Service Pack 1 - Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Microsoft Windows Server 2003 x64 Edition - Impact: Remote Code Execution - Version Number: 1.0 - - From the Microsoft Security Bulletin MS05-043: Vulnerability Details MHTML Parsing Vulnerability - CVE-2006-2766: There is a remote code execution vulnerability in Windows that results from incorrect parsing of the MHTML protocol. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted e-mail message. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================