MA-167.062009: MyCERT Alert - Multiple Vulnerabilities in Microsoft Internet Explorer

1.0 Introduction

Multiple critical vulnerabilities have been identified in Microsoft Internet Explorer. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system while failed attack may cause denial-of-service conditions.

List of the vulnerabilities are as below:

• Microsoft Internet Explorer 8 Rows Property Dangling Pointer Code Execution Vulnerability.
• Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability.
• Microsoft Internet Explorer setCapture Memory Corruption Vulnerability.
• Microsoft Internet Explorer Event Handler Uninitialized Memory Remote Code Execution Vulnerability.
• Microsoft Internet Explorer Cached Content Cross Domain Information Disclosure Vulnerability

Essentially, an attacker can trick unsuspecting users into opening a URL that contain a specially crafted Web page using Internet Explorer.

2.0 Impact

An attacker who has successfully exploited this vulnerability could execute code remotely and gain the same privilege as the user. Failed attack may cause denial-of-service conditions.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 5.01 SP 4
• Microsoft Internet Explorer 6
• Microsoft Internet Explorer 6 Service Pack 1
• Microsoft Internet Explorer 7
• Microsoft Internet Explorer 8

4.0 Recommendation

• Microsoft recommended user to enable the Automatic Updates feature because this security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, please refer this URL: http://support.microsoft.com/kb/294871
  
  
• If user is not able to perform the update by using Automatic Updates feature, manual download for the patch can be obtained for specific browser version and operating system from the following URL:
  http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx#ESCÂ

Generally MyCERT advice users of this product to keep themselves updated with the latest security announcements by the vendor. Users who receive suspicious attachments or URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels:

E-mail : mycert@mycert.org.my
Phone : +603 89926969Â or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://www.securityfocus.com/archive/1/504208
• http://www.securityfocus.com/archive/1/504216
• http://www.securityfocus.com/archive/1/504209
• http://www.zerodayinitiative.com/advisories/ZDI-09-036/
• http://www.zerodayinitiative.com/advisories/ZDI-09-038/
• http://www.zerodayinitiative.com/advisories/ZDI-09-041/
• http://www.securityfocus.com/bid/35224/info
• http://www.securityfocus.com/bid/35200/info
• http://www.securityfocus.com/bid/35234
• http://www.securityfocus.com/bid/35223/info
• http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx