Vulnerability ID 2932

Microsoft Windows Malware Protection Engine PDF File Integer buffer overflow

Microsoft
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
7.0$5k-$10k

A vulnerability was found in Microsoft Windows (the affected version is unknown). It has been declared as critical. This vulnerability affects an unknown function of the component Malware Protection Engine. The manipulation as part of a PDF File leads to a buffer overflow vulnerability (integer). As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was disclosed 02/13/2007 by Neel Mehta with ISS X-Force as MS07-010 as confirmed bulletin (Technet). The advisory is shared for download at microsoft.com. This vulnerability was named CVE-2006-5270 since 10/13/2006. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 24334 (MS07-010: Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context local. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90382.

Upgrading eliminates this vulnerability. Applying the patch MS07-010 is able to eliminate this problem. The bugfix is ready for download at microsoft.com. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 5114.

The vulnerability is also documented in the databases at SecurityFocus (BID 22479), X-Force (31127), Secunia (SA24146), SecurityTracker (ID 1017636) and Vulnerability Center (SBV-14277). Similar entries are available at 2930, 2931 and 2933.

CVSSv3

Base Score: 7.3 [?]
Temp Score: 7.0 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.9 (CVSS2#E:ND/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: No

Current Price Estimation: $50k-$100k (0-day) / $5k-$10k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 24334
Nessus Name: MS07-010: Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
Nessus File: smb_nt_ms07-010.nasl
Nessus Family: Windows : Microsoft Bulletins
Nessus Context: local
Qualys ID: 90382

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Patch: MS07-010
TippingPoint: 5114

Timeline

10/13/2006 CVE assigned
02/13/2007 +123 days Advisory disclosed
02/13/2007 +0 days Countermeasure disclosed
02/13/2007 +0 days NVD disclosed
02/13/2007 +0 days VulnerabilityCenter entry assigned
02/13/2007 +0 days Nessus plugin released
02/13/2007 +1 days OSVDB entry created
02/14/2007 +0 days VulnerabilityCenter entry created
02/15/2007 +1 days VulDB entry created
02/15/2015 +2922 days VulnerabilityCenter entry updated
07/07/2015 +143 days VulDB entry updated

Sources

Advisory: MS07-010
Researcher: Neel Mehta
Organization: ISS X-Force
Status: Confirmed

CVE: CVE-2006-5270 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 22479 - Microsoft Antivirus Engine Integer Overflow Vulnerability
Secunia: 24146 - Microsoft Malware Protection Engine PDF File Parsing Vulnerability, Highly Critical
X-Force: 31127
SecurityTracker: 1017636 - Microsoft Windows Defender Integer Overflow in Parsing PDF Files Lets Remote Users Execute Arbitrary Code
Vulnerability Center: 14277 - [MS07-010] Microsoft Malware Protection Engine Integer Overflow via PDF File, Medium
OSVDB: 31888
Vupen: ADV-2007-0579

See also: 2930, 2931, 2933

Entry

Created: 02/15/2007
Updated: 07/07/2015
Entry: 97% complete