Microsoft Security Bulletin MS12-043 - Critical

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)

General Information

Executive Summary

This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.
This security update is rated Critical for Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0 on all supported editions of Windows XP, Windows Vista, and Windows 7; Critical for Microsoft XML Core Services 4.0 when installed on all supported editions of Windows 8; Critical for Microsoft XML Core Services 5.0 when installed with all supported editions of Microsoft Office 2003, Microsoft Office 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007, Microsoft Groove 2007, and Microsoft Groove Server 2007; Moderate for Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2; and Moderate for Microsoft XML Core Services 4.0 when installed on all supported editions of Windows Server 2012. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by modifying the way that MSXML initializes objects in memory before use. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2719615.
Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. Microsoft Knowledge Base Article 2722479 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.

Top of section

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Windows Operating Systems and Components

Operating System	Component	Maximum Security Impact	Aggregate Severity Rating	Updates Replaced
Windows XP
Windows XP Service Pack 3	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 KB954459 in MS08-069 replaced by KB2719985
Windows XP Professional x64 Edition Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2721693)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 KB954459 in MS08-069 replaced by KB2721693
Windows Server 2003
Windows Server 2003 Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2721693)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 KB954459 in MS08-069 replaced by KB2721693
Windows Server 2003 x64 Edition Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2721693)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 KB954459 in MS08-069 replaced by KB2721693
Windows Server 2003 with SP2 for Itanium-based Systems	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2721693)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 KB954459 in MS08-069 replaced by KB2721693
Windows Vista
Windows Vista Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Vista x64 Edition Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 for x64-based Systems Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 for Itanium-based Systems Service Pack 2	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows 7
Windows 7 for 32-bit Systems	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows 7 for 32-bit Systems Service Pack 1	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	No updates replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows 7 for x64-based Systems	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows 7 for x64-based Systems Service Pack 1	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Critical	No updates replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 R2 for x64-based Systems Service Pack 1	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	No updates replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 R2 for Itanium-based Systems	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	KB2079403 in MS10-051 replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1	Microsoft XML Core Services 3.0 (KB2719985) Microsoft XML Core Services 4.0 (KB2721691) Microsoft XML Core Services 6.0 (KB2719985)	Remote Code Execution	Moderate	No updates replaced by KB2719985 KB954430 in MS08-069 replaced by KB2721691 No updates replaced by KB2719985
Windows 8
Windows 8 for 32-bit Systems	Microsoft XML Core Services 4.0 (KB2721691)	Remote Code Execution	Critical	None
Windows 8 for 64-bit Systems	Microsoft XML Core Services 4.0 (KB2721691)	Remote Code Execution	Critical	None
Windows Server 2012
Windows Server 2012	Microsoft XML Core Services 4.0 (KB2721691)	Remote Code Execution	Moderate	None

Microsoft Office Suites and Software

Office Software	Component	Maximum Security Impact	Aggregate Severity Rating	Updates Replaced
Microsoft Office Suites and Components
Microsoft Office 2003 Service Pack 3	Microsoft XML Core Services 5.0[1] (KB2687627)	Remote Code Execution	Critical	KB951535 in MS08-069 replaced by KB2687324 or KB2687627
Microsoft Office 2007 Service Pack 2	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Microsoft Office 2007 Service Pack 3	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Other Microsoft Office Software
Microsoft Office Word Viewer	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Microsoft Office Compatibility Pack Service Pack 2	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Microsoft Office Compatibility Pack Service Pack 3	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Microsoft Groove 2007 Service Pack 2	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Groove 2007 Service Pack 3	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None

^[1]Although the rereleased update (KB2687627) replaces the original update (KB2687324) for Microsoft Office 2003 Service Pack 3, customers who have successfully installed the KB2687324 update do not need to install the KB2687627 update. For more information, see the update FAQ.
^[2]Although the rereleased update (KB2687497) replaces the original update (KB2596679) for Microsoft Groove 2007 Service Pack 2 and Microsoft Groove 2007 Service Pack 3, customers who have successfully installed the KB2596679 update do not need to install the KB2687497 update. For more information, see the update FAQ.

Microsoft Developer Tools and Software

Software	Component	Maximum Security Impact	Aggregate Severity Rating	Updates Replaced
Microsoft Expression Web Service Pack 1	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	None
Microsoft Expression Web 2	Microsoft XML Core Services 5.0 (KB2596856)	Remote Code Execution	Critical	KB951550 in MS08-069 replaced by KB2596856

Microsoft Server Software

Software	Component	Maximum Security Impact	Aggregate Severity Rating	Updates Replaced
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions)	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Office SharePoint Server 2007 Service Pack 3 (32-bit editions)	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Office SharePoint Server 2007 Service Pack 3 (64-bit editions)	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Groove Server 2007 Service Pack 2	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None
Microsoft Groove Server 2007 Service Pack 3	Microsoft XML Core Services 5.0[2] (KB2687497)	Remote Code Execution	Critical	None

^[2]Although the rereleased update (KB2687497) replaces the original update (KB2596679) for affected editions of Microsoft Office SharePoint Server 2007 and Microsoft Groove Server 2007, customers who have successfully installed the KB2596679 update do not need to install the KB2687497 update. For more information, see the update FAQ.