Security Advisories

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: US-CERT Technical Cyber Security Alert TA08-352A -- Microsoft Internet Explorer Data Binding Vulnerability
From: CERT Advisory <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Wed, 17 Dec 2008 16:04:06 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA08-352A


Microsoft Internet Explorer Data Binding Vulnerability

   Original release date: December 17, 2008
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Internet Explorer
     * Microsoft Outlook Express
     * Other software that uses Internet Explorer components to render documents


Overview

   Microsoft Internet Explorer contains an invalid pointer
   vulnerability in its data binding code, which can allow a remote,
   unauthenticated attacker to execute arbitrary code on a vulnerable
   system. Exploit code for this vulnerability is publicly available
   and is being actively exploited.


I. Description

   Microsoft Internet Explorer contains an invalid pointer
   vulnerability in its data binding code. When Internet Explorer
   renders a document that performs data binding, it may crash in a
   way that is exploitable to run arbitrary code. Any program that
   uses Internet Explorer's MSHTML layout engine, such as Outlook
   Express, may be at risk. Further details are available in US-CERT
   Vulnerability Note VU#493881.


II. Impact

   By convincing a user to view a specially crafted document that
   performs data binding (e.g., a web page or email message or
   attachment), an attacker may be able to execute arbitrary code with
   the privileges of the user.


III. Solution

   Apply an update
   
   This issue is addressed in Microsoft Security Bulletin MS08-078.
   This update provides new versions of mshtml.dll and wmshtml.dll,
   depending on the target operating system. More details are
   available in Microsoft Knowledge Base Article 960714.
   
   Disable Active Scripting  This vulnerability can be mitigated by
   disabling Active Scripting in the Internet Zone, as specified in
   the Securing Your Web Browser document. Note that this will not
   block the vulnerability. IE still may crash when parsing specially
   crafted content. Disabling Active Scripting will mitigate a common
   method used to achieve code execution with this vulnerability.
   Enable DEP in Internet Explorer 7  Enabling DEP in Internet
   Explorer 7 on Windows Vista can help mitigate this vulnerability by
   making it more difficult to achieve code execution using this
   vulnerability.
   
   Additional workarounds
   
   Microsoft Security Bulletin MS08-078 provides additional details
   for the above workarounds, as well as other workarounds not listed
   here. These workarounds are further explained in the Microsoft SWI
   Blog.


IV. References

 * Microsoft Security Bulletin MS08-078 -
   <https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>

 * MS08-078: Security update for Internet Explorer -
   <http://support.microsoft.com/kb/960714>

 * Microsoft Security Advisory (961051) -
   <http://www.microsoft.com/technet/security/advisory/961051.mspx>

 * Update on Internet Explorer 7, DEP and Adobe Software -
   <http://blogs.msdn.com/michael_howard/archive/2006/12/12/update-on-internet-explorer-7-dep-and-adobe-software.aspx>

 * Data Binding -
   <http://msdn.microsoft.com/en-us/library/ms531388(vs.85).aspx>

 * MSHTML Reference -
   <http://msdn.microsoft.com/en-us/library/aa741317.aspx>

 * US-CERT Vulnerability Note VU#493881 -
   <http://www.kb.cert.org/vuls/id/493881>

 * Securing Your Web Browser -
   <https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-352A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <This email address is being protected from spambots. You need JavaScript enabled to view it.> with "TA08-352A Feedback VU#493881" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History
  
  December 17, 2008: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSUloq3IHljM+H4irAQJ5WggAilfQXBGc2UPVScZTIA81uf0dloPwzgJF
xM5M5r0a5j8Km5g5mHdhzqs4Ni1DY0enftvm6JeagUmOzVPzOGemqXxTeAx/G6ZD
ttW687bsX9OdDJ2cmq6EixRwgVPR6kVnSK5s/MLw8yYWg7RS0lY0Mrc42QUL2GXR
KKBb3redelGZ6Szm5PKOcumYSP9bsQtxOqGZUx+d3l9cDeIDPn3c2aHFSkPP5mGr
LyEEqXw5+ifpx6v1gGyRyFOtFHP2QBSOOrnt05S0KTuoBJQ9QtyC9TEyGVwWjeq8
68BuGiOakwNdsjpFLLjW4W34N3oXnGFKh6jXAi4KW3d9wcIidZj0+w==
=T3zy
-----END PGP SIGNATURE-----

Powered by:

MHonArc