CERT-In Vulnerability Note CIVN-2008-78
Microsoft Internet Explorer Memory corruption and Information Disclosure Vulnerabilities
Original Issue Date:
June 12, 2008
Severity Rating:
High
System Affected
- Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1
- Internet Explorer 6
- Internet Explorer 7
Overview
Two vulnerabilities have been reported in Microsoft Internet Explorer that could be exploited by an attacker to take complete control of the system and for information disclosure.
Description
1. HTML Objects Memory Corruption Vulnerability
(CVE-2008-1442)
The vulnerability is caused due to an error in Microsoft Internet Explorer while displaying a web page that contains certain unexpected method calls to HTML objects. Successful exploitation corrupts system memory to allow execution of arbitrary code with the privileges of logged on user.
The attacker could exploit this vulnerability by creating specially crafted Web site. An attacker could host the website and then persuade a user to visit the website typically by getting them click on to the link to the website. Visiting such website corrupts system memory to allow execution of arbitrary code.
2. Request Header Cross-Domain Information Disclosure Vulnerability (CVE-2008-1544)
The vulnerability is caused due to incorrect parsing of specially crafted request header by Internet Explorer. This way Internet explorer violates the same origin policy. The same origin policy is an important security measure for client-side scripting.
Successful exploitation allows attacker to read data from another domain in Internet Explorere.
The attacker could exploit this vulnerability by creating specially crafted Web site. An attacker could host the website and then persuade a user to visit the website typically by getting them click on to the link to the website.
Workarounds
- Configure Internet Explorer to prompt before running Active Scripting
- Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-031
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx
References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx
Secunia
http://secunia.com/advisories/30575/
CVE-Name
CVE-2008-1442
CVE-2008-1544
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
