Executive Summary
Summary | |
---|---|
Title | Microsoft Internet Explorer data binding memory corruption vulnerability |
Informations | |||
---|---|---|---|
Name | VU#493881 | First vendor Publication | 2008-12-10 |
Vendor | VU-CERT | Last vendor Modification | 2008-12-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#493881Microsoft Internet Explorer data binding memory corruption vulnerabilityOverviewMicrosoft Internet Explorer contains an invalid pointer vulnerability in its data binding code, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionMicrosoft Internet Explorer contains an invalid pointer vulnerability in its data binding code. The vulnerability can be triggered when Internet Explorer or a program that uses Internet Explorer's components renders a document that contains more than one reference to the same data source. This flaw can cause an invalid array size and result in the accessing of memory space of a deleted object. Specially crafted content that performs data binding, such as an XML or HTML document, can cause IE to crash in a way that is exploitable. Limited testing has shown this vulnerability to affect Internet Explorer 6 and later, up to and including Internet Explorer 8 Beta 2. However, all versions of Internet Explorer from 4.0 and on may be at risk. We have confirmed that Outlook Express is also at risk. Exploit code for this vulnerability is publicly available.II. ImpactBy convincing a user to view a specially crafted document that performs data binding (e.g., a web page or email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.III. SolutionApply an updateThis issue is addressed in Microsoft Security Bulletin MS08-078. This update provides new versions of mshtml.dll and wmshtml.dll, depending on the target operating system. More details are available in Microsoft Knowledge Base Article 960714. Consider the following workarounds if you are unable to apply the update:
[HKEY_CLASSES_ROOTCLSID{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}] Disable Active Scripting This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the "Securing Your Web Browser" document. Note that this will not block the vulnerability. IE still may crash when parsing specially crafted XML content. Disabling Active Scripting will mitigate a common method used to achieve code execution with this vulnerability. Enable DEP in Internet Explorer 7 Enabling DEP in Internet Explorer 7 on Windows Vista can help mitigate this vulnerability by making it more difficult to achieve code execution using this vulnerability. Systems Affected
References
This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/493881 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:6007 | |||
Oval ID: | oval:org.mitre.oval:def:6007 | ||
Title: | Pointer Reference Memory Corruption Vulnerability | ||
Description: | Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-4844 | Version: | 6 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | Microsoft Internet Explorer |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 |
SAINT Exploits
Description | Link |
---|---|
Internet Explorer XML data binding memory corruption | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2009-06-05 | Name : Ubuntu USN-698-1 (nagios) File : nvt/ubuntu_698_1.nasl |
2008-12-29 | Name : Ubuntu USN-697-1 (imlib2) File : nvt/ubuntu_697_1.nasl |
2008-12-29 | Name : Ubuntu USN-698-2 (nagios3) File : nvt/ubuntu_698_2.nasl |
2008-12-29 | Name : Ubuntu USN-699-1 (blender) File : nvt/ubuntu_699_1.nasl |
2008-12-12 | Name : Vulnerability in Internet Explorer Could Allow Remote Code Execution (960714) File : nvt/secpod_ms_ie_mem_crptn_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
50622 | Microsoft IE mshtml.dll XSML Nested SPAN Element Handling Unspecified Arbitra... A use-after-free flaw exists in Internet Explorer. The data binding function fails to update the array length after releasing an object resulting in access to the deleted object's memory space. With a specially crafted web page, a context dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2008-12-18 | IAVM : 2008-A-0090 - Microsoft Internet Explorer Remote Code Execution Vulnerability Severity : Category I - VMSKEY : V0017935 |
Snort® IPS/IDS
Date | Description |
---|---|
2017-03-07 | Microsoft Internet Explorer nested tag memory corruption attempt RuleID : 41494 - Revision : 1 - Type : BROWSER-IE |
2017-03-07 | Microsoft Internet Explorer nested SPAN tag memory corruption attempt RuleID : 41493 - Revision : 1 - Type : BROWSER-IE |
2014-01-10 | Microsoft Internet Explorer nested tag memory corruption attempt RuleID : 17402 - Revision : 10 - Type : BROWSER-IE |
2014-01-10 | Microsoft Internet Explorer nested tag memory corruption attempt - unescaped RuleID : 17401 - Revision : 12 - Type : BROWSER-IE |
2014-01-10 | Microsoft Internet Explorer nested SPAN tag memory corruption attempt RuleID : 16605 - Revision : 12 - Type : BROWSER-IE |
2014-01-10 | Microsoft Internet Explorer nested tag memory corruption attempt RuleID : 15126 - Revision : 17 - Type : BROWSER-IE |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-12-17 | Name : Arbitrary code can be executed on the remote host through the web client. File : smb_nt_ms08-078.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-04-15 13:28:38 |
|
2013-05-11 00:57:08 |
|