CERT-In Vulnerability Note
CIVN-2009-0150
Microsoft Internet Explorer Remote Code Execution Vulnerabilities
Original Issue Date:December 09, 2009
Severity Rating: HIGH
Systems Affected
- Microsoft Windows 2000 SP4
- Windows XP SP 2 and Windows XP SP 3
- Windows XP Professional x64 Edition SP 2
- Windows Server 2003 SP 2
- Windows Server 2003 x64 Edition SP 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista, Windows Vista SP 1, and Windows Vista SP 2
- Windows Vista x64 Edition, SP 1, SP 2
- Windows Server 2008 , SP2 for 32-bit Systems
- Windows Server 2008 , SP 2for x64-based Systems
- Windows Server 2008 , SP 2 for Itanium-based Systems
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for Itanium-based Systems
Component Affected
- Internet Explorer 5.01 SP4
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8
Overview
Multiple remote code execution vulnerabilities were reported in Microsoft Internet Explorer . An unauthenticated , remote could exploit these vulnerabilities by persuading a victim to visit a specially crafted webpage.
Description
1. ATL COM Initialization Vulnerability
(
CVE-2009-2493CIVN-2009-142
)
This vulnerability is due to Active template Librarby ATL does not properly restrict the use of OleLoadFromStream in instantiating objects, that can bypass related security policy, from data streams which leads arbitrary code execution via a crafted HTML document with an ATL component or control.
2. XHTML DOM Manipulation Memory Corruption Vulnerability
(
CVE-2009-3671
)
The vulnerability is in the manipulation and parsing of certain HTML tags. The ordering of various objects in a malformed way results in memory corruption resulting in a call to a dangling pointer which can be further leveraged via a heap spray leads to remote code execution.
3. HTML Object Memory Corruption Vulnerability
(
CVE-2009-3672CIVN-2009-123
)
The vulnerability is due to a dangling pointer in Microsoft HTML Viewers mshtml.dll file when it attempts to retrieve certain Cascading Style Sheet CSS objects using the getElementsByTagName function.
4. CSS Race Condition Code Execution Vulnerability
(
CVE-2009-3673
)
The specific flaw exists during a race condition while repetitively clicking between two elements at a fast rate. When clicking back and forth between these two elements a corruption occurs resulting in a call to a dangling pointer which can be further leveraged into code execution via a heap spray.
5. IFrame Attributes Circular Reference Dangling Pointer Vulnerability
(
CVE-2009-3674
)
The specific flaw exists during deallocation of a circular dereference for a CAttrArray object. If the CAttrArray object has been freed prior to the tearing down of the webpage, the application will access the freed memory during the deallocation of the circular dereference resulting arbitrary code execution.
Workaround
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
For detailed steps of these workarounds refer to Microsoft Security Bulletin MS09-072
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS09-072
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
References
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
http://www.microsoft.com/technet/security/advisory/977981.mspx
ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-086/
http://www.zerodayinitiative.com/advisories/ZDI-09-087/
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=19494
http://tools.cisco.com/security/center/viewAlert.x?alertId=19493
Secunia
http://secunia.com/advisories/37448
VUPEN
http://www.vupen.com/english/advisories/2009/3437
CVE Name
CVE-2009-2493
CVE-2009-3671
CVE-2009-3672
CVE-2009-3673
CVE-2009-3674
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|