MA-214.022010: MyCERT Alert - Information disclosures vulnerabilities in Internet Explorer

Date First Published: 2010-02-04

1.0 Introduction

A critical vulnerability (CVE-2010-0255) has been released in the Microsoft Internet Explorer web browser. The vulnerability, may allow Information Disclosure for customers running on Windows XP or who have disabled Internet Explorer Protected Mode. At this point of time, this vulnerability is still under investigation.

Customers that are using the default configuration of Internet Explorer 7 or 8 on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to harvest user credentials and other sensitive information by enticing users to visit maliciously crafted web pages.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Internet Explorer 5.01
• Internet Explorer 6
• Internet Explorer 6 Service Pack 1
• Internet Explorer 7
• Internet Explorer 8

4.0 Recommendations

• Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. Microsoft Security Response Center has created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems.
  
  
• Upgrade to Internet Explorer 8 to benefit from its increased protections. In addition, users should continue to follow Microsoft .Protect Your Computer. guidance at http://www.microsoft.com/protect.
  
  
• Disable Active Script support in the browser. Active Script can be disabled by referring to the following steps:
  
  On the Tools menu, click Internet Options
  
  
  
  Click the Security tab, choose Internet zone and click on Custom Level
  
  
  
  Disable the Active Scripting and click OK
  
  
  
  
• Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.
  
  
• Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.
  
  
• Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft Internet Explorer to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:

• http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html 

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/ 

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/980088.mspx
• http://www.auscert.org.au/12341
• http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx