|
|
AL-2009.0031 -- [Win] -- Internet Explorer: Execute Arbitrary Code |
|
Date: 15 April 2009 Original URL: http://www.auscert.org.au/render.html?cid=21&it=10813 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0031 -- AUSCERT ALERT
[Win]
Internet Explorer: Execute Arbitrary Code
15 April 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Internet Explorer 5.01 Service Pack 4 when installed
on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 when installed on
Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2
Internet Explorer 6 for Windows XP Service Pack 3
Internet Explorer 6 for Windows XP Professional x64
Edition
Internet Explorer 6 for Windows XP Professional x64
Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service
Pack 1
Internet Explorer 6 for Windows Server 2003 Service
Pack 2
Internet Explorer 6 for Windows Server 2003 x64
Edition
Internet Explorer 6 for Windows Server 2003 x64
Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 with SP1
for Itanium-based Systems
Internet Explorer 6 for Windows Server 2003 with SP2
for Itanium-based Systems
Internet Explorer 7 for Windows XP Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 3
Internet Explorer 7 for Windows XP Professional x64
Edition
Internet Explorer 7 for Windows XP Professional x64
Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service
Pack 1
Internet Explorer 7 for Windows Server 2003 Service
Pack 2
Internet Explorer 7 for Windows Server 2003 x64
Edition
Internet Explorer 7 for Windows Server 2003 x64
Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 with SP1
for Itanium-based Systems
Internet Explorer 7 for Windows Server 2003 with SP2
for Itanium-based Systems
Internet Explorer 7 in Windows Vista and Windows
Vista Service Pack 1
Internet Explorer 7 in Windows Vista x64 Edition
Internet Explorer 7 in Windows Vista x64 Edition
Service Pack 1
Internet Explorer 7 in Windows Server 2008 for 32-bit
Systems*
Internet Explorer 7 in Windows Server 2008 for
x64-based Systems*
Internet Explorer 7 in Windows Server 2008 for
Itanium-based Systems
Publisher: Microsoft
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0554 CVE-2009-0553 CVE-2009-0552
CVE-2009-0551 CVE-2009-0550 CVE-2008-2540
Original Bulletin:
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
Comment: Exploit code has been made public for one of these vulnerabilities.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS09-014 - Critical
Cumulative Security Update for Internet Explorer (963027)
Published: April 14, 2009
Version: 1.0
General Information
Executive Summary
This security update resolves four privately reported vulnerabilities and
two publicly disclosed vulnerabilities in Internet Explorer. The
vulnerabilities could allow remote code execution if a user views a
specially crafted Web page using Internet Explorer or if a user connects
to an attacker's server by way of the HTTP protocol. Users whose accounts
are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 5.01 and
Internet Explorer 6 Service Pack 1, running on supported editions of
Microsoft Windows 2000; Internet Explorer 6 and Internet Explorer 7
running on supported editions of Windows XP; and Internet Explorer 7
running on supported editions of Windows Vista. For Internet Explorer 6
and Internet Explorer 7 running on supported editions of Windows Server
2003 and Windows Server 2008, this security update is rated Important.
For more information, see the subsection, Affected and Non-Affected
Software, in this section.
The security update addresses these vulnerabilities by modifying the way
that Internet Explorer searches the system for files to load, performs
authentication reply validation, handles transition errors when navigating
between Web pages, and handles memory objects. For more information about
the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection
under the next section, Vulnerability Information.
Affected Software
Internet Explorer 5.01 Service Pack 4 when installed on Microsoft Windows
2000 Service Pack 4
Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows
2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2 and Windows XP Service
Pack 3
Internet Explorer 6 for Windows XP Professional x64 Edition and Windows
XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows
Server 2003 Service Pack 2
Internet Explorer 6 for Windows Server 2003 x64 Edition and Windows Server
2003 x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 with SP1 for Itanium-based
Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service
Pack 3
Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP
Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows
Server 2003 Service Pack 2
Internet Explorer 7 for Windows Server 2003 x64 Edition and Windows Server
2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based
Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 7 in Windows Vista and Windows Vista Service Pack 1
Internet Explorer 7 in Windows Vista x64 Edition and Windows Vista x64
Edition Service Pack 1
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems*
Internet Explorer 7 in Windows Server 2008 for x64-based Systems*
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems
*Windows Server 2008 server core installation not affected.
Vulnerability Information
Blended Threat Remote Code Execution Vulnerability - CVE-2008-2540
A blended threat remote code execution vulnerability exists in the way that
Internet Explorer locates and opens files on the system. An attacker could
exploit the vulnerability by constructing a specially crafted Web page.
When a user views the Web page, the vulnerability could allow remote code
execution. An attacker who successfully exploited this vulnerability could
gain the same user rights as the logged-on user. If a user is logged on
with administrative user rights, an attacker who successfully exploited
this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights.
WinINet Credential Reflection Vulnerability - CVE-2009-0550
A remote code execution vulnerability exists in the way that WinINet
handles NTLM credentials when a user connects to an attacker's server by
way of the HTTP protocol. This vulnerability allows an attacker to replay
the user's credentials back to the attacker and to execute code in the
context of the logged-on user. If a user is logged on with administrative
user rights, an attacker who successfully exploited this vulnerability
could take complete control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights.
Page Transition Memory Corruption Vulnerability - CVE-2009-0551
A remote code execution vulnerability exists in the way Internet Explorer
handles transition when navigating between Web pages. As a result, system
memory may be corrupted in such a way that an attacker could execute
arbitrary code if a user visited a specially crafted Web site. An attacker
who successfully exploited this vulnerability could gain the same user
rights as the logged-on user. If a user is logged on with administrative
user rights, an attacker who successfully exploited this vulnerability
could take complete control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights.
Uninitialized Memory Corruption Vulnerability - CVE-2009-0552
A remote code execution vulnerability exists in the way Internet Explorer
accesses an object that has not been correctly initialized or has been
deleted. An attacker could exploit the vulnerability by constructing a
specially crafted Web page. When a user views the Web page, the
vulnerability could allow remote code execution. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the logged-on user. If a user is logged on with administrative user
rights, an attacker who successfully exploited this vulnerability could
take complete control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights.
Uninitialized Memory Corruption Vulnerability - CVE-2009-0553
A remote code execution vulnerability exists in the way Internet Explorer
accesses an object that has not been correctly initialized or has been
deleted. An attacker could exploit the vulnerability by constructing a
specially crafted Web page. When a user views the Web page, the
vulnerability could allow remote code execution. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the logged-on user. If a user is logged on with administrative user
rights, an attacker who successfully exploited this vulnerability could
take complete control of an affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights.
Uninitialized Memory Corruption Vulnerability - CVE-2009-0554
A remote code execution vulnerability exists in the way Internet Explorer
accesses an object that has not been initialized or has been deleted. An
attacker could exploit the vulnerability by constructing a specially
crafted Web page. When a user views the Web page, the vulnerability could
allow remote code execution. An attacker who successfully exploited this
vulnerability could gain the same user rights as the logged-on user.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ5TM2NVH5XJJInbgRAkoIAJsGuj522D0L/MxaO9my2dHzDHVgRgCbBrC3
5pv9k6/02CfGZktZ3eqbhTg=
=S5iP
-----END PGP SIGNATURE-----
|