copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2009.1557 - ALERT [Win] Internet Explorer: Execu...
 

ESB-2009.1557 - ALERT [Win] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction
Date: 24 November 2009

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1557
   Vulnerability in Internet Explorer Could Allow Remote Code Execution
                             24 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Internet Explorer 7
                   Internet Explorer 6
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Mitigation

Original Bulletin: 
   http://www.microsoft.com/technet/security/advisory/977981.mspx

Comment: For detailed steps to apply the workarounds, please see the 
         original bulletin url above.
         
         Exploit code for this vulnerability has been made public.

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (977981)

Vulnerability in Internet Explorer Could Allow Remote Code Execution

   Published: November 23, 2009

   Version: 1.0

Microsoft is investigating new public reports of a vulnerability in Internet 
Explorer. This advisory contains information about which versions of Internet 
Explorer are vulnerable as well as workarounds and mitigations for this 
issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 
and Internet Explorer 8 on all supported versions of Microsoft Windows are not 
affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 
2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on 
supported editions of Windows XP, Windows Server 2003, Windows Vista, and 
Windows Server 2008 are affected.

The vulnerability exists as an invalid pointer reference of Internet Explorer. 
It is possible under certain conditions for a CSS/Style object to be accessed 
after the object is deleted. In a specially-crafted attack, Internet Explorer 
attempting to access a freed object can lead to running attacker-supplied 
code.

At this time, we are aware of no attacks attempting to use this vulnerability 
against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will 
continue to monitor the threat environment and update this advisory if this 
situation changes. On completion of this investigation, Microsoft will take 
the appropriate action to protect our customers, which may include providing 
a solution through our monthly security update release process, or an 
out-of-cycle security update, depending on customer needs.

Mitigating Factors:
	
   * Internet Explorer 8 is not affected.
   * Protected Mode in Internet Explorer 7 in Windows Vista limits the 
     impact of the vulnerability.
   * By default, Internet Explorer on Windows Server 2003 and Windows Server 
     2008 runs in a restricted mode that is known as Enhanced Security 
     Configuration. This mode sets the security level for the Internet zone to 
     High. This is a mitigating factor for Web sites that you have not added 
     to the Internet Explorer Trusted sites zone.
   * An attacker who successfully exploited this vulnerability could gain the 
     same user rights as the local user. Users whose accounts are configured 
     to have fewer user rights on the system could be less affected than users 
     who operate with administrative user rights.
   * By default, all supported versions of Microsoft Outlook, Microsoft 
     Outlook Express, and Windows Mail open HTML e-mail messages in the 
     Restricted sites zone. The Restricted sites zone helps mitigate attacks 
     that could try to exploit this vulnerability by preventing Active 
     Scripting and ActiveX controls from being used when reading HTML e-mail 
     messages. However, if a user clicks a link in an e-mail message, the user 
     could still be vulnerable to exploitation of this vulnerability through 
     the Web-based attack scenario.

Workarounds

   * Set Internet and Local intranet security zone settings to "High" to prompt
     before running ActiveX Controls and Active Scripting in these zones
   * Configure Internet Explorer to prompt before running Active Scripting or 
     to disable Active Scripting in the Internet and Local intranet security 
     zone
   * Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLC1BENVH5XJJInbgRAts/AJ4hN1p0TiPDOo9ckmo0LXGxvZ80MQCfT7W2
95WaokgDxrXtCC0ihe9lyLI=
=lvX2
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=11998