CERT-In Vulnerability Note
CIVN-2012-0107
Multiple Vulnerabilities in Microsoft Internet Explorer 9
Original Issue Date:November 14, 2012
Severity Rating: HIGH
Systems Affected
- Windows Vista SP2 and x64 Edition SP2
- Windows Server 2008 for 32-bit and x64-based Systems SP2
- Windows 7 for 32-bit Systems SP1 and prior
- Windows 7 for x64-based Systems SP1 and prior
- Windows Server 2008 R2 for x64-based Systems SP1 and prior
Component Affected
Overview
Multiple vulnerabilities have been reported in the Microsoft Internet Explorer 9, which could be exploited by remote attackers to execute arbitrary code to take control of the affected system with the privileges of the looged in user.
Description
CFormElement, CTreePos and CTreeNode Use After Free Vulnerabilities
(
CVE-2012-1538
CVE-2012-1539
CVE-2012-4775
)
These vulnerabilities exists in the Microsoft Internet explorer 9 while handling the access request for CFormElement, CTreePos and CTreeNode class objects that has been deleted or not properly initialized. A remote attacker could exploit the vulnerabilities by hosting specially crafted webpage, when loaded by the current user results in execution of arbitrary code or memory corruption on the target system. The code will run with the privileges of the looged in user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Workaround
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
- Add trusted sites to the Internet Explorer Trusted sites zone.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS12-071
Vendor Information
Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-071
References
Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-071
Security Focus
http://www.securityfocus.com/bid/56420/info
http://www.securityfocus.com/bid/56421/info
http://www.securityfocus.com/bid/56422/info
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=27364
http://tools.cisco.com/security/center/viewAlert.x?alertId=27365
http://tools.cisco.com/security/center/viewAlert.x?alertId=27366
Security Tracker
http://www.securitytracker.com/id/1027749
CVE Name
CVE-2012-1538
CVE-2012-1539
CVE-2012-4775
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|