|CERT-In Vulnerability Note
Microsoft Indexing Service ActiveX Control Memory Corruption Vulnerability
Original Issue Date:October 15, 2009
Severity Rating: HIGH
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
A vulnerability has been reported in Microsoft indexing service that could allow a remote attacker to gain complete control of an affected system.
Indexing Service is a base service for Microsoft Windows that extracts content from files and constructs an indexed catalog to facilitate efficient and rapid searching. Indexing Service can extract both text and property information from files on the local host and on remote, networked hosts. The files can be simply members of a selected file system or part of a virtual Web hosted by, for example, Internet Information Services IIS .
A remote code execution vulnerability exists in the Indexing Service on Windows systems. which could allow remote attackers to compromise a vulnerable system. This issue is caused by a memory corruption error in the "Query.dll" ActiveX component included with the Indexing service that does not properly handle specially crafted Web content, An attacker who successfully exploited this vulnerability could take complete control of an affected system.
- Unregister ixsso.dll
- Prevent the Indexing Service ActiveX control COM object from running in Internet Explorer
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Apply appropriate updates as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003