copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » AL-2008.0045 -- [Win] -- MS08-023 Security Update of...
 

AL-2008.0045 -- [Win] -- MS08-023 Security Update of ActiveX Kill Bits
Date: 09 April 2008
References: ESB-2008.0400  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2008.0045 -- AUSCERT ALERT
                                   [Win]
               MS08-023 Security Update of ActiveX Kill Bits
                               9 April 2008

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Internet Explorer 6 SP1
                      Internet Explorer 5.01 SP4
                      hxvz.dll ActiveX Control
                      Yahoo! Music Jukebox
Publisher:            Microsoft
Operating System:     Windows Server 2008
                      Windows Server 2008 x64
                      Windows Server 2008 Itanium
                      Windows Vista SP1
                      Windows Vista
                      Windows Vista x64 SP1
                      Windows Vista x64
                      Windows Server 2003 SP2
                      Windows Server 2003 SP1
                      Windows Server 2003 x64 SP2
                      Windows Server 2003 x64 SP1
                      Windows Server 2003 Itanium SP2
                      Windows Server 2003 Itanium
                      Windows XP SP2
                      Windows XP Professional x64 SP2
                      Windows XP Professional x64
                      Windows 2000 SP 4
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1086

Original Bulletin:
  http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx
  http://help.yahoo.com/l/us/yahoo/music/jukebox/troubleshoot/securityupdate.html

- --------------------------BEGIN INCLUDED TEXT--------------------

MS08-023 Security Update of ActiveX Kill Bits 

This security update resolves one privately reported vulnerability for a
Microsoft product. This update also includes a kill bit for the Yahoo!
Music Jukebox product. The vulnerability could allow remote code execution
if a user viewed a specially crafted Web page using Internet Explorer.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights.

The security update is rated Critical for Internet Explorer 5.01
Service Pack 4 on Microsoft Windows 2000 Service Pack 4; Internet
Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000
Service Pack 4; Windows XP Service Pack 2; and Windows XP Professional
x64 Edition and Windows XP Professional x64 Edition Service Pack 2.

The security update is rated Important for Windows Vista and Windows
Vista Service Pack 1; and Windows Vista x64 Edition and Windows Vista
x64 Edition Service Pack 1.

The security update is rated Moderate for all supported editions of
Windows Server 2003.

For all other supported versions of Windows, this security update is
rated Low.

The security update addresses the vulnerability by setting a kill bit
so the vulnerable controls do not run in Internet Explorer.

Microsoft recommends that customers apply the update immediately.

Affected Software

   o Microsoft Internet Explorer 5.01 Service Pack 4
   o Microsoft Internet Explorer 6 Service Pack 1

Vulnerability Information

ActiveX Object Memory Corruption Vulnerability - CVE-2008-1086

A remote code execution vulnerability exists in the ActiveX control
hxvz.dll. An attacker could exploit the vulnerability by constructing
a specially crafted Web page. When a user views the Web page, the
vulnerability could allow remote code execution. An attacker who
successfully exploited this vulnerability could gain the same user
rights as the logged on user

This update includes kill bits that will prevent the following ActiveX
controls from being run in Internet Explorer:
	

   o Yahoo! has released a security bulletin:
       http://help.yahoo.com/l/us/yahoo/music/jukebox/troubleshoot/securityupdate.html
     and an update that addresses the vulnerability in Yahoo! Music Jukebox.
     Please see the security bulletin from Yahoo! for more information and
     download locations. This kill bit is being set at the request of the
     owner of the ActiveX control. The class identifiers (CLSIDs) for this
     ActiveX control are:
	
       o {5f810afc-bb5f-4416-be63-e01dd117bd6c}
       o {22fd7c0a-850c-4a53-9821-0b0915c96139}

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR/wNsih9+71yA2DNAQJM+AQAleYZJIvxOZIUff4TMO2wPHpqfjFKy+SR
vfTcitkndtl1/g5cxQd2LcQ+UnfytHon6RfXq1mgX5CX8vvN9MJbiUub6a7eCgQp
g8qKMNYNDHiXjxvKM+sEwymMStM37m1N8FXA9MfmP0x8KZNUPRHZ114DgMCza0Sq
klQ/gyp/09E=
=744A
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=9090