Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
TitleVulnerability in Windows Search Could Allow Information Disclosure (963093)
NameMS09-023First vendor Publication2009-06-09
VendorMicrosoftLast vendor Modification2009-06-09
Severity (Vendor) ModerateRevision1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Revision Note: Bulletin published.Summary: This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx

CWE : Common Weakness Enumeration

100 %CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5428
Oval ID: oval:org.mitre.oval:def:5428
Title: Script Execution in Windows Search Vulnerability
Description: Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted file that appears in a preview in a search result, aka "Script Execution in Windows Search Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0239
Version: 1
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Windows Search 4.0
Definition Synopsis:

CPE : Common Platform Enumeration


OpenVAS Exploits

2009-06-10Name : Microsoft Windows Search Script Execution Vulnerability (963093)
File : nvt/secpod_ms09-023.nasl

Open Source Vulnerability Database (OSVDB)

54935Microsoft Windows MSHTML Search Preview Display Information Disclosure

Information Assurance Vulnerability Management (IAVM)

2009-06-11IAVM : 2009-T-0032 - Information Disclosure Vulnerability in Microsoft Windows Search
Severity : Category II - VMSKEY : V0019397

Nessus® Vulnerability Scanner

2009-06-10Name : A vulnerability in Windows Search may lead to information disclosure.
File : smb_nt_ms09-023.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2014-02-17 11:46:14
  • Multiple Updates
2013-11-11 12:41:11
  • Multiple Updates