Vulnerability in the Internet Explorer XML parsing (MS08-078)
| Reference: |
CERT-IST/AV-2008.538 |
| Version: |
3.0 |
| Version date: |
18 December 2008 |
 |
Vulnerability Classification
| Risk: |
 |
high |
|
| Impact: |
Get access |
| Confidence: |
Vendor-acknowledged |
| Attack expertise: |
Skilled |
| Attack requirements: |
Remote (no account) over a standard service |
|
System Information
| Affected Platform(s): |
- Windows XP Service Pack 2
- Windows XP Service Pack 3
- Windows XP Professional x64 Edition
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista
- Windows Vista Service Pack 1
- Windows Vista x64 Edition
- Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
|
| Affected Software(s): |
- Microsoft Internet Explorer 5.01 Service Pack 4
- Microsoft Internet Explorer 6
- Microsoft Internet Explorer 6 SP1
- Windows Internet Explorer 7
- Windows Internet Explorer 8 Beta 2
|
Description
| Publication context: |
|
[Version 3.0]: This advisory has been re-issued on 18, December 2008 because Microsoft has just released an out-of-band patch for the vulnerability in Internet Explorer. The "Affected Software" and "Technical Information" sections have also been updated.
[Version 2.0]: This advisory has been re-issued on 12, December 2008 because Microsoft mentions that Internet Explorer 5.01 Service Pack 4, 6 and 8 Beta 2 are also potentially affected by the vulnerability.
This vulnerability is also described in the CERT-IST/DG-2008.011 potential danger. The threat related to its exploitation is monitored in the Cert-IST crisis response hub named "IE XML 0day". |
|
| Problem description: |
|
A vulnerability has been discovered in Internet Explorer. It allows a malicious web page to perform harmful actions on a vulnerable system with the connected user's privileges.
Nota : - An exploit for this vulnerability has been released on Internet. It allows to launch arbitrary commands on systems running Internet Explorer 7.
- Moreover an active exploitation on this vulnerability has ben seen on several web sites.
|
|
| Technical information: |
|
| This vulnerability is due to a memory management error in the Internet Explorer Data Binding feature when handling specific XML data. It allows a remote attacker, through a crafted HTML page, to run arbitrary code on a vulnerable system, with the privileges of the connected user. |
|
Solution
01 - Workarounds regarding the Internet Explorer vulnerability
Waiting for patches to be released, Microsoft recommends:
- to enable the DEP (Data Execution Prevention) memory protection in Internet Explorer 7.
Local Administrators can enable DEP by running Internet Explorer as an Administrator and performing the following steps:
- In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
- Click Enable memory protection to help mitigate online attacks.
Impact of this Workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly.
Note: DEP was included in Internet Explorer, although off by default, and is designed to help foil attacks by preventing code from running in memory that is marked non-executable.
- to disable or to unregister OLEDB32.DLL.
Please refer to the Microsoft references (listed in the "Additional Resources" section) to know the actions to perform depending on the platform.
- to disable XML Island functionality.
Please refer to the Microsoft references (listed in the "Additional Resources" section) to know the actions to perform depending on the platform.
02 - Apply the Microsoft patches (KB960714) regarding the Internet Explorer vulnerability
Patches are available for the various impacted platforms.
See the Microsoft security bulletin MS08-078 ("Additional Resources" section) to get the appropriate patch.
Note: Contrary to the usual Internet Explorer security updates, the one described in the MS08-078 security bulletin is not cummulative. - Microsoft security bulletin MS08-078 dated December 17, 2008
|
|
Standard vulnerability IDs
Additional Resources
- Microsoft security advisory 961051 dated December 10, 2008
- Microsoft security bulletin MS08-078 dated December 17, 2008
- US-CERT security advisory TA08-352A dated December 17, 2008
- Nortel Response to Microsoft Security Bulletin MS08-078
|
|
History
|
|
|
|
|
|
|
|
|
|
Version |
|
|
|
Comment |
|
|
|
Date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.0 |
|
|
|
Microsoft patches (security bulletin MS08-078) |
|
|
|
18 December 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.1 |
|
|
|
Update of the workarounds |
|
|
|
15 December 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.0 |
|
|
|
Update of the impacted products and workaround |
|
|
|
12 December 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
|
|
|
Advisory creation |
|
|
|
11 December 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
