Executive Summary

Summary
Title Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)
Informations
Name MS11-009 First vendor Publication 2011-02-08
Vendor Microsoft Last vendor Modification 2012-08-14
Severity (Vendor) Important Revision 2.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: V2.1 (August 14, 2012): Clarified that users with Internet Explorer 9 installed on their systems do not need to install this update. See the section, Frequently Asked Questions (FAQ) Related to This Security Update, for more information.

Summary: This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

Original Source

Url : http://technet.microsoft.com/en-us/security/bulletin/ms11-009

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12313
 
Oval ID: oval:org.mitre.oval:def:12313
Title: Scripting Engines Information Disclosure Vulnerability
Description: The (1) JScript 5.8 and (2) VBScript 5.8 scripting engines in Microsoft Windows Server 2008 R2 and Windows 7 do not properly load decoded scripts obtained from web pages, which allows remote attackers to trigger memory corruption and consequently obtain sensitive information via a crafted web site, aka "Scripting Engines Information Disclosure Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-0031
 Version: 12
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
 Product(s): VBScript 5.8
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 2

OpenVAS Exploits

Date Description
2011-02-09 Name : Microsoft JScript and VBScript Scripting Engines Information Disclosure Vulne...
File : nvt/secpod_ms11-009.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
70827 Microsoft Windows JScript / VBScript Scripting Engine Memory Corruption Infor...

Microsoft Windows contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an error occurs in JScript and VBScript when processing scripts, which will disclose potentially sensitive information to a context-dependent attacker using a crafted web page.

Information Assurance Vulnerability Management (IAVM)

Date Description
2011-02-10 IAVM : 2011-B-0017 - Microsoft JScript and VBScript Scripting Information Disclosure Vulnerability
Severity : Category II - VMSKEY : V0026056

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Internet Explorer Base64 encoded script overflow attempt
RuleID : 18401 - Revision : 14 - Type : BROWSER-IE

Nessus® Vulnerability Scanner

Date Description
2011-02-08 Name : An information disclosure vulnerability exists in the JScript and VBscript en...
File : smb_nt_ms11-009.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:46:52
  • Multiple Updates
2014-01-19 21:30:36
  • Multiple Updates
2013-11-11 12:41:21
  • Multiple Updates