Microsoft Windows 8.1 and earlier versions vulnerable to XMLDOM XML Injection Vulnerability in Internet Explorer 6 to 11

Cert-In the Indian Computer Emergency Response Team has warned that Microsoft Windows 8.1 and its earlier versions are at risk due a vulnerability that exists in the XMLDOM ActiveX control.  The vulnerability can be executed through Internet Explorer version 6 to 11.  Hackers/attackers can take advantage of this vulnerability to inject a XMLDOM XML code and obtain the Windows PC users personal information or make the Windows PC a Zombie computer to take part in a DoS or DDoS attack on websites.

Microsoft Windows 8.1 and earlier versions vulnerable to XMLDOM XML Injection Vulnerability in Internet Explorer 6 to 11
Though the vulnerability has been marked as severe by Cert-In, a researcher at CXSecurity has said that this may be medium low level vulnerability.  I am reproducing the entire code given by the CXSecurity Researcher :


the above code is printed courtesy cxsecurity.com


Both the vulnerabilities have been classified  as under :

1. Information disclosure vulnerability ( CVE-2013-7331   ) 


This vulnerability exists because the  XMLDOM ActiveX control containing methods that can leak information about a computer system to the operator of a  website. A remote attacker could exploit this vulnerability to obtain sensitive information like local drive letters, files, and directory names by enticing a user to visit a specially crafted webpage and by examining the error codes generated. 



Cert-in has said that this vulnerability is being exploited in the wild, but CXSecurity says that this may lead to only marginal exploitation.

 2. Denial of service Vulnerability ( CVE-2013-7332   ) 


This vulnerability exist due to improper detection of recursion during entity expansion. A remote  attacker could exploit this vulnerability by convincing a user to visit a crafted XML document containing a large number of nested entity references to cause memory and CPU consumption  resulting in denial of service conditions (DoS) .   The machine then can be turned into a ‘Zombie Computer’ to launch a Denial of Service (DoS) attack on the wild or a dedicated Distributed Denial of Service  (DDoS) attack.



As of now, Microsoft has not issued any fix/patch for this vulnerabilities but there is a workaround available if you want to safeguard your computer.  You have to set the Internet and Local intranet security zone settings in the Internet Explorer settings to “High”.  This will then disable both XMLDOM ActiveX Controls and Active Scripting in your Internet Explorer and the scripts cant be executed.

Read More

Suggested Post