===================================================================== CERT-Renater Note d'Information No. 2014/VULN128 _____________________________________________________________________ DATE : 11/06/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Server 2003, Vista, Server 2008, 7, Server 2008, 8, Server 2012, RT, 8.1, RT 8.1. ====================================================================== KB2966061 https://technet.microsoft.com/library/security/ms14-033 ______________________________________________________________________ Microsoft Security Bulletin MS14-033 - Important Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) Published: June 10, 2014 Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website. This security update for Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 is rated Important on all supported releases of Microsoft Windows clients and Low for all supported releases of Microsoft Windows servers. Affected Software Windows Server 2003 Service Pack 2 - Microsoft XML Core Services 3.0 Windows Vista - Microsoft XML Core Services 3.0 Windows Server 2008 - Microsoft XML Core Services 3.0 Windows 7 - Microsoft XML Core Services 3.0 Windows Server 2008 R2 - Microsoft XML Core Services 3.0 Windows 8 and Windows 8.1 - Microsoft XML Core Services 3.0 Windows Server 2012 and Windows Server 2012 R2 - Microsoft XML Core Services 3.0 Windows RT and Windows RT 8.1 - Microsoft XML Core Services 3.0 MSXML Entity URI Vulnerability - CVE-2014-1816 An information disclosure vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may allow an attacker to access information not otherwise allowed. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================