MS08-069 MS XML Core Vulnerability (Nov 12, 2008)
Microsoft has released an advisory for its XML processing framework during this month’s Microsoft Patch Day. It is named MSXML or Microsoft XML Core services. The framework may be used by developers in third party applications as well as applications shipped with the operating system. The most popular application using this framework is Internet Explorer, which can transform XML files using XSL stylesheets.
The XML Core Services package contains the DOMDocument ActiveX object which represents the top level of the XML source. Document Type Definition (DTD) is one of several SGML and XML schema languages that DOMDocument can parse. DOMDocument includes members for retrieving and creating all other XML objects. One of those member methods, loadXML, can load an XML document using the supplied string. The supplied string can contain external DTD, which resides in a separate document and is referred by the URI of the DTD file.
An information disclosure vulnerability exists in the DOMDocument ActiveX object control implementation. The flaw is due to a design weakness in the way XML core service handles error checks for external DTDs. Normally, one domain cannot access other different domains for information. However, the vulnerable versions of MSXML allow parameter entities in external DTDs to reference data on a different domain. A successful exploitation would disclose cross-domain potential confidential information to the attacker.
To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures at the same day as the advisory was released.
- 1210 MS XML Core Services parseError Info Disclosure Attempt 2 (MS08-069)
- 1209 MS XML Core Services parseError Info Disclosure Attempt 1 (MS08-069)