CERT-In Vulnerability Note CIVN-2008-159
Microsoft Internet Explorer Multiple Cross-Domain Vulnerabilities

Original Issue Date:October 16, 2008

Severity Rating: High

Systems Affected

• Microsoft Internet Explorer 5.01
• Microsoft Internet Explorer 6.x
• Microsoft Internet Explorer 7.x
  

Overview

Multiple vulnerabilities have been reported in Microsoft Internet Explorer that could be exploited by a remote attacker to disclose potentially sensitive information or execute remote code in context of logged on user.

Description

• Cross-Domain Information Disclosure Vulnerability (CVE-2008-3474)
  
  This is an Information disclosure vulnerability which is caused due to incorrectly interpreting the origin of scripts in Microsoft Internet Explorer when handling certain specially crafted HTML elements.
  
  Successful exploitation of this vulnerability could allow attacker to read cookies or other data from another security zone or domains in context of logged on user.
  
  
• Various remote code execution vulnerabilities reported:
  
  
  • Window Location Property Cross-Domain Vulnerability (CVE-2008-2947)

    This vulnerability is caused due to an input validation error in Microsoft Internet Explorer when handling the "location" or "location.href" property of a window object.

  • HTML Element Cross-Domain Vulnerability
    (CVE-2008-3472)

    This vulnerability is caused due to browser incorrectly interpreting the origin of scripts in Microsoft Internet Explorer when handling certain HTML elements.

  • Event Handling Cross-Domain Vulnerability
    (CVE-2008-3473)

    This vulnerability is caused due to browser incorrectly interpreting the origin of scripts in Microsoft Internet Explorer when handling certain events.

  • Uninitialized Memory Corruption Vulnerability (CVE-2008-3475)

    This vulnerability is caused due to memory corruption error in Microsoft Internet Explorer when the browser attempts to access an object which is uninitialized or has been deleted. The flaw exists in the “componentFromPoint()” method exposed through JavaScript. The implementation of this method for a particular object can be used to arbitrarily control memory access.

  • HTML Objects Memory Corruption Vulnerability (CVE-2008-3476)

    This vulnerability is caused due memory corruption error in Microsoft Internet Explorer when the browser attempts to access uninitialized memory while processing certain HTML objects.
    
    These remote code execution vulnerabilities could be exploited by the attacker by creating a specially crafted web page and entice user to open the same. Opening this web page could allow attacker to execute arbitrary code in context of logged on user of a domain or Internet Explorer security zones other than where it originated.
    

Workaround

• Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS08-058

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-058

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx

References

ZeroDayInitiative
http://www.zerodayinitiative.com/advisories/ZDI-08-069/

FrSIRT
http://www.frsirt.com/english/advisories/2008/2809

SecurityFocus
http://www.securityfocus.com/bid/31616

Secunia
http://secunia.com/advisories/30851/
http://secunia.com/advisories/30857/

Securitytracker
http://securitytracker.com/alerts/2008/Oct/1021047.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003