HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-74
Microsoft Windows Search Script Injection vulnerability

Original Issue Date:June 11, 2009

Severity Rating: Medium

Systems Affected

Windows Search 4.0 installed on

  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2

Overview

Microsoft Windows Search contains a script injection vulnerability which could allow an unauthenticated, remote attacker to view sensitive information

Description

Windows Search allows instant search capabilities for most common file and data types such as e-mail, contacts, calendar appointments, documents, photos, multimedia, and other formats extended by third parties. These capabilities enable users to more efficiently find, manage, and organize the increasing amount of data common in home and enterprise environments.

This vulnerability is due to insufficient security restrictions on scripts processed by Windows Search. 

An unauthenticated, remote attacker could exploit this vulnerability by convince a user to accept a malicious file and then perform a search using the Windows Search feature that returns the malicious file. T he malicious file must appear as the first search result returned, or the user must open the malformed file.

A successful exploitation allows the attacker to could execute arbitrary script code in the security context of the affected component and view information contained within files located on the system, possibly resulting in the disclosure of sensitive information.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-023

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx

References

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022353.html

Secunia
http://secunia.com/advisories/35366/

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=18418

SecurityFocus
http://www.securityfocus.com/bid/35220

VUPEN
http://www.vupen.com/english/advisories/2009/1542

CVE Name
CVE-2009-0239

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003