Executive Summary

Summary
TitleVulnerability in Windows Search Could Allow Information Disclosure (963093)
Informations
NameMS09-023First vendor Publication2009-06-09
VendorMicrosoftLast vendor Modification2009-06-09
Severity (Vendor) ModerateRevision1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: Bulletin published.

Summary: This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx

CWE : Common Weakness Enumeration

idName
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5428
 
Oval ID: oval:org.mitre.oval:def:5428
Title: Script Execution in Windows Search Vulnerability
Description: Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted file that appears in a preview in a search result, aka "Script Execution in Windows Search Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0239
Version: 1
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Windows Search 4.0
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

OpenVAS Exploits

DateDescription
2009-06-10Name : Microsoft Windows Search Script Execution Vulnerability (963093)
File : nvt/secpod_ms09-023.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
54935Microsoft Windows MSHTML Search Preview Display Information Disclosure

Information Assurance Vulnerability Management (IAVM)

DateDescription
2009-06-11IAVM : 2009-T-0032 - Information Disclosure Vulnerability in Microsoft Windows Search
Severity : Category II - VMSKEY : V0019397

Nessus® Vulnerability Scanner

DateDescription
2009-06-10Name : A vulnerability in Windows Search may lead to information disclosure.
File : smb_nt_ms09-023.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 11:46:14
  • Multiple Updates
2013-11-11 12:41:11
  • Multiple Updates