Executive Summary

Title Vulnerability in Windows Search Could Allow Information Disclosure (963093)
Name MS09-023 First vendor Publication 2009-06-09
Vendor Microsoft Last vendor Modification 2009-06-09
Severity (Vendor) Moderate Revision 1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Revision Note: Bulletin published.Summary: This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx

CWE : Common Weakness Enumeration

CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5428
Oval ID: oval:org.mitre.oval:def:5428
Title: Script Execution in Windows Search Vulnerability
Description: Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted file that appears in a preview in a search result, aka "Script Execution in Windows Search Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0239
Version: 1
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Windows Search 4.0
Definition Synopsis:

CPE : Common Platform Enumeration


OpenVAS Exploits

2009-06-10Name : Microsoft Windows Search Script Execution Vulnerability (963093)
File : nvt/secpod_ms09-023.nasl

Open Source Vulnerability Database (OSVDB)

54935Microsoft Windows MSHTML Search Preview Display Information Disclosure

Information Assurance Vulnerability Management (IAVM)

2009-06-11IAVM : 2009-T-0032 - Information Disclosure Vulnerability in Microsoft Windows Search
Severity : Category II - VMSKEY : V0019397

Nessus® Vulnerability Scanner

2009-06-10Name : A vulnerability in Windows Search may lead to information disclosure.
File : smb_nt_ms09-023.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2014-02-17 11:46:14
  • Multiple Updates
2013-11-11 12:41:11
  • Multiple Updates