CERT-In Vulnerability Note
CIVN-2008-0186
Multiple Vulnerabilities in Microsoft Internet Explorer
Original Issue Date:December 11, 2008
Severity Rating: HIGH
Systems Affected
- Microsoft Windows 2000 SP 4
- Windows XP SP3 and prior
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 for Itanium-based Systems SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
Overview
The following vulnerabilities have been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.
An unauthenticated, remote attacker could exploit these vulnerabilities through a website that is designed to cause Internet Explorer to process malicious parameters. As a result, the attacker could execute arbitrary code with the privileges of the user who launched Internet Explorer.
Description
1. Parameter Validation Memory Corruption Vulnerability
(
CVE-2008-4258
)
This vulnerability exists due to insufficient validation of user-supplied input. Internet Explorer fails to properly check parameters in unspecified method calls while processing a malformed document. The processing of malicious parameters could allow an attacker to trigger the execution of arbitrary code.
2. HTML Object Processing Code Execution Vulnerability
(
CVE-2008-4259
)
This vulnerability exists because Internet Explorer may attempt to access uninitialized memory areas as a result of processing malformed HTML objects.
3. Uninitialized Memory Corruption Vulnerability
(
CVE-2008-4260
)
The vulnerability is due to improper memory access of deleted memory objects.
4. HTML Rendering Memory Corruption Vulnerability
(
CVE-2008-4261
)
This vulnerability is due to improper parsing of malformed HTML objects. The problem is due to a stack-based buffer-overflow when handling specific HTML tags.
Workaround
- Administrators may consider configuring Internet Explorer to prompt users before running Active Scripting or ActiveX Controls by setting the Internet and Local Intranet security zone to High. Alternately, administrators could disable Active Scripting and ActiveX Controls in these security zones.
- Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
- Users are advised to run applications with the least necessary privileges.
Solution
Apply appropriate patches as mentioned in the Microsoft Security Bulletin
MS08-073.
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-073.mspx
References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-073.mspx
Secunia
http://secunia.com/advisories/33035/
SecurityFocus
http://www.securityfocus.com/bid/32586
http://www.securityfocus.com/bid/32595
SecurityTracker
http://securitytracker.com/alerts/2008/Dec/1021371.html
CVE Name
CVE-2008-4258
CVE-2008-4259
CVE-2008-4260
CVE-2008-4261
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|