The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION PUBLICATIONS SUBSCRIPTION CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Articles by Cert-IST Useful links In the Press - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories Several vulnerabilities in Microsoft Internet Explorer (MS09-072) Reference: CERT-IST/AV-2009.554 Version: 1.1 Version date: 15 December 2009 Vulnerability Classification Risk: high Impact: Get access Confidence: Vendor-acknowledged Attack expertise: Skilled Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Microsoft Windows systems Affected Software(s): Microsoft Internet Explorer 5.01 Service Pack 4 Microsoft Internet Explorer 6 Service Pack 1 Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Description Publication context: Microsoft released a "Cumulative Patch" for Internet Explorer (Microsoft bulletin MS09-072). This "Cumulative Patch" fixes five vulnerabilities described in this advisory as well as those described in the MS09-054 Microsoft bulletin. The CVE-2009-2493 vulnerability is the ATL vulnerability in a set of ActiveX, which is already described in the CERT-IST/AV-2009.327 and CERT-IST/AV-2009.354 advisories. The CVE-2009-3672 flaw was described under the FA-2009.0227 reference in the Cert-IST list of "Flaws under investigation". Problem description: Five vulnerabilities have been fixed in Microsoft Internet Explorer. They allow a malicious web page to execute harmful actions on a vulnerable system. Note: An exploit for the CVE-2009-3672 vulnerability has been released on Internet. Technical information: The discovered vulnerabilities are the following ones :  CVE-2009-2493:  An ActiveX uses a Microsoft ATL (Active Template Library) library impacted by this vulnerability already described in  CERT-IST/AV-2009.354  and  CERT-IST/AV-2009.327  advisories.  CVE-2009-3671, CVE-2009-3672, CVE-2009-3673, CVE-2009-3674 : Vulnerabilities due to access to an object that has not been correctly initialized or has been deleted. They allow a remote attacker, through a crafted HTML page, to run arbitrary code on a vulnerable system, with the privileges of the connected user. Solution Apply the Microsoft (KB976325) patches regarding the Internet Explorer vulnerabilities Patches are available for the various impacted platforms. See the Microsoft security bulletin MS09-072 to get the appropriate patch. The patches described in this security bulletin replace the ones described in the MS09-054 bulletin. Microsoft security bulletin MS09-072 dated December 8, 2009 http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx Standard vulnerability IDs Microsoft: KB976325 CVE: CVE-2009-3671 CVE: CVE-2009-3672 CVE: CVE-2009-3673 CVE: CVE-2009-3674 Additional Resources Microsoft security bulletin MS09-072 dated December 8, 2009 http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx US-CERT security advisory TA09-342A dated December 8, 2009 http://www.us-cert.gov/cas/techalerts/TA09-342A.html Nortel security advisory 2009009911 dated December 11, 2009 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984218 "Zero Day Initiative" security advisory ZDI-09-086 dated December 8, 2009 http://www.zerodayinitiative.com/advisories/ZDI-09-086/ "Zero Day Initiative" security advisory ZDI-09-087 dated December 8, 2009 http://www.zerodayinitiative.com/advisories/ZDI-09-087 "Zero Day Initiative" security advisory ZDI-09-088 dated December 8, 2009 http://www.zerodayinitiative.com/advisories/ZDI-09-088 iDEFENSE security advisory 833 dated December 9, 2009 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=833 History Version Comment Date 1.1 Fixed MS bulletins references in the "publication context" section 15 December 2009 1.0 Advisory creation 09 December 2009

Copyright © 1999-2012 Cert-IST | Legal Notice | Sitemap