HOME > VULNERABILITY


   VULNERABILITY

 

CERT-In Vulnerability Note CIVN-2010-110
Microsoft Internet Explorer HTML Rendering Arbitrary Code Execution Vulnerability

Original Issue Date: March 30, 2010

Severity Rating:High

System Affected

  • Windows XP SP 2 and Windows XP SP 3
  • Windows XP Professional x64 Edition SP 2
  • Windows Server 2003 SP 2
  • Windows Server 2003 x64 Edition SP 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista, SP 1& SP 2
  • Windows Vista x64 Edition ,SP 1& SP 2
  • Windows Server 2008 for 32-bit Systems & SP 2
  • Windows Server 2008 for x64-based Systems & SP 2
  • Windows Server 2008 for Itanium-based Systems & SP 2

Components Affected

  • Internet Explorer 7

Overview

A use-after -free vulnerability has been reported Microsoft Internet Explorer that could allow an attacker to execute arbitrary code in the privileges of the logged in user.

Description

The vulnerability is due to an invalid pointer reference by internet Explorer which access an invalid pointer associated with a deleted object.
By convincing a user to load a specially crafted HTML document or Microsoft Office document, a remote, unauthenticated attacker may be able to execute arbitrary code.

Workarounds

  • Disable ActiveX Controls in Office 2007
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Enable Data Execution Prevention (DEP) for Internet Explorer 7
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Do not open unexpected files

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS10-018

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=20203


CVE Name
CVE-2010-0807

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003