Windows 2003 SP2, MS07-016 and IE7

According to Microsoft Technet MS07-016 is included in Windows 2003 Service Pack 2.
However, if you install IE7 after installing SP2 for Windows 2003, you end up with a wininet.dll that is version 7.0.5730.11. According to MS07-016, this is a vulnerable version of this dll.
So now, we’re in a pickle. As of Monday, Windows Update did not recognize a need for MS07-016 on this computer. The Security Bulletin does not address this scenario.
I contacted our Microsoft Technical Account Manager. He contacted the security group at Microsoft who verified that the system is vulnerable and we must reapply the patch. Fortunately the Cumulative Update for Internet Explorer 7 for Windows Server 2003 (KB928090) worked on this system even though the patch says its for Windows 2003 SP1.

2 Comments

  1. Were you able to test to see if the version with the older wininet.dll was vulnerable? The patch fixes a lot of non-security-related bugs, so maybe wininet isn’t related to the security fixes.

  2. I figured there were two ways to test this. One – find exploit code and see if it works. Of course the code might be platform specific and not work anyway. Two – Ask Microsoft if I should apply the patch.
    While the former might be interesting, the latter is what I went with. This is for work, and I had a lot of other things to do.
    Wininet.dll was updated in this patch because of the FTP Server Response Parsing Memory Corruption Vulnerability (CVE-2007-0217).
    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473

Comments are closed.