|CERT-In Vulnerability Note
Microsoft Internet Explorer Remote Code Execution Vulnerabilities
Original Issue Date:December 09, 2009
Severity Rating: HIGH
- Microsoft Windows 2000 SP4
- Windows XP SP 2 and Windows XP SP 3
- Windows XP Professional x64 Edition SP 2
- Windows Server 2003 SP 2
- Windows Server 2003 x64 Edition SP 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista, Windows Vista SP 1, and Windows Vista SP 2
- Windows Vista x64 Edition, SP 1, SP 2
- Windows Server 2008 , SP2 for 32-bit Systems
- Windows Server 2008 , SP 2for x64-based Systems
- Windows Server 2008 , SP 2 for Itanium-based Systems
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for Itanium-based Systems
- Internet Explorer 5.01 SP4
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8
Multiple remote code execution vulnerabilities were reported in Microsoft Internet Explorer . An unauthenticated , remote could exploit these vulnerabilities by persuading a victim to visit a specially crafted webpage.
1. ATL COM Initialization Vulnerability
This vulnerability is due to Active template Librarby ATL does not properly restrict the use of OleLoadFromStream in instantiating objects, that can bypass related security policy, from data streams which leads arbitrary code execution via a crafted HTML document with an ATL component or control.
2. XHTML DOM Manipulation Memory Corruption Vulnerability
The vulnerability is in the manipulation and parsing of certain HTML tags. The ordering of various objects in a malformed way results in memory corruption resulting in a call to a dangling pointer which can be further leveraged via a heap spray leads to remote code execution.
3. HTML Object Memory Corruption Vulnerability
The vulnerability is due to a dangling pointer in Microsoft HTML Viewers mshtml.dll file when it attempts to retrieve certain Cascading Style Sheet CSS objects using the getElementsByTagName function.
4. CSS Race Condition Code Execution Vulnerability
The specific flaw exists during a race condition while repetitively clicking between two elements at a fast rate. When clicking back and forth between these two elements a corruption occurs resulting in a call to a dangling pointer which can be further leveraged into code execution via a heap spray.
5. IFrame Attributes Circular Reference Dangling Pointer Vulnerability
The specific flaw exists during deallocation of a circular dereference for a CAttrArray object. If the CAttrArray object has been freed prior to the tearing down of the webpage, the application will access the freed memory during the deallocation of the circular dereference resulting arbitrary code execution.
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
For detailed steps of these workarounds refer to Microsoft Security Bulletin MS09-072
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003