The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability announce CVE-2015-1646

Windows: file reading via MSXML3 DTD

Synthesis of the vulnerability

An attacker can create a malicious DTD, to read a file via MSXML3 of Windows, in order to obtain sensitive information.
Vulnerable products: Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista.
Severity of this weakness: 3/4.
Consequences of a hack: data reading.
Hacker's origin: internet server.
Creation date: 14/04/2015.
Références of this bulletin: 3046482, CERTFR-2015-AVI-157, CVE-2015-1646, MS15-039, VIGILANCE-VUL-16602.

Description of the vulnerability

The Microsoft XML Core Services (MSXML) library is used by Microsoft applications which process XML data.

It loads DTDs for XML files. However, an attacker can invite the victim to open a malicious DTD, to access to his local files.

An attacker can therefore create a malicious DTD, to read a file via MSXML3 of Windows, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability watch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.