CERT-In Vulnerability Note CIVN-2008-43
Microsoft Data Stream Handling Memory Corruption Vulnerability

Original Issue Date: April 10, 2008

Severity Rating: High

System Affected

• Internet Explorer 5.01
• Internet Explorer 6
• Internet Explorer 7

Overview

The vulnerability has been reported in Microsoft Internet Explorer that could be exploited by an attacker to take complete control of the system.

Description

The vulnerability is caused due to an error while processing specially crafted data streams and can be exploited to trigger a use-after-free condition by returning a specially crafted data stream such as an unexpected MIME-type for which no handler is registered.

The attacker could exploit this vulnerability by creating and hosting a specially crafted website designed to exploit this vulnerability through Internet Explorer and then persuade a user to visit the website typically by getting them click on to the link to the website.. Visiting such website with an affected version of Microsoft Internet Explorer corrupts the system memory to allow execution of arbitrary code with the privileges of logged on user.

Workaround

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-024


Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

Secunia
http://secunia.com/secunia_research/2007-100/advisory/

CVE Name
CVE-2008-1085

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003