MS08-069 MS XML Core Vulnerability (Nov 12, 2008)


Microsoft has released an advisory for its XML processing framework during this month’s Microsoft Patch Day. It is named MSXML or Microsoft XML Core services. The framework may be used by developers in third party applications as well as applications shipped with the operating system. The most popular application using this framework is Internet Explorer, which can transform XML files using XSL stylesheets.

The XML Core Services package contains the DOMDocument ActiveX object which represents the top level of the XML source. Document Type Definition (DTD) is one of several SGML and XML schema languages that DOMDocument can parse. DOMDocument includes members for retrieving and creating all other XML objects. One of those member methods, loadXML, can load an XML document using the supplied string. The supplied string can contain external DTD, which resides in a separate document and is referred by the URI of the DTD file.

An information disclosure vulnerability exists in the DOMDocument ActiveX object control implementation. The flaw is due to a design weakness in the way XML core service handles error checks for external DTDs. Normally, one domain cannot access other different domains for information. However, the vulnerable versions of MSXML allow parameter entities in external DTDs to reference data on a different domain. A successful exploitation would disclose cross-domain potential confidential information to the attacker.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures at the same day as the advisory was released.

  • 1210 MS XML Core Services parseError Info Disclosure Attempt 2 (MS08-069)
  • 1209 MS XML Core Services parseError Info Disclosure Attempt 1 (MS08-069)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.