|
What
is the purpose of this alert?
This
alert is to notify you that Microsoft has released Security Advisory
981374 - Vulnerability in Internet Explorer Could Allow
Remote Code Execution - on March 09,
2010.
Microsoft is investigating new,
public reports of a vulnerability in Internet Explorer 6 and Internet
Explorer 7. Our investigation has shown that the latest version of
the browser, Internet Explorer 8, is not affected. The main impact of
the vulnerability is remote code execution. This advisory contains information
about which versions of Internet Explorer are vulnerable as well as
workarounds and mitigations for this issue.
Our investigation so far has
shown that Internet Explorer 8 and Internet Explorer 5.01 Service
Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and
that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000
Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are
vulnerable.
The vulnerability exists due to
an invalid pointer reference being used within Internet Explorer. It
is possible under certain conditions for the invalid pointer to be
accessed after an object is deleted. In a specially-crafted attack,
in attempting to access a freed object, Internet Explorer can be
caused to allow remote code execution.
At this time, we are aware of
targeted attacks attempting to use this vulnerability. We will
continue to monitor the threat environment and update this advisory
if this situation changes. On completion of this investigation,
Microsoft will take the appropriate action to protect our customers,
which may include providing a solution through our monthly security
update release process, or an out-of-cycle security update, depending
on customer needs.
We are actively working with
partners in our Microsoft Active
Protections Program (MAPP) and our Microsoft Security
Response Alliance (MSRA) programs to provide information
that they can use to provide broader protections to customers. In
addition, we are actively working with partners to monitor the threat
landscape and take action against malicious sites that attempt to
exploit this vulnerability.
·
Internet Explorer 8
is not affected by this vulnerability.
·
Protected Mode in
Internet Explorer on Windows Vista and later Windows operating
systems helps to limit the impact of the vulnerability as an attacker
who successfully exploited this vulnerability would have very limited
rights on the system. An attacker who successfully exploited this
vulnerability on Internet Explorer 6 or Internet Explorer 7 could
gain the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less
affected than users who operate with administrative user rights.
·
In a Web-based attack
scenario, an attacker could host a Web site that contains a Web page
that is used to exploit this vulnerability. In addition, compromised
Web sites and Web sites that accept or host user-provided content or
advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would
have no way to force users to visit these Web sites. Instead, an
attacker would have to convince users to visit the Web site, typically
by getting them to click a link in an e-mail message or Instant
Messenger message that takes users to the attacker's Web site.
·
By default, Internet
Explorer on Windows Server 2003 and Windows Server 2008 runs in a
restricted mode that is known as Enhanced Security Configuration.
This mode sets the security level for the Internet zone to High. This
is a mitigating factor for Web sites that you have not added to the
Internet Explorer Trusted sites zone.
·
By default, all
supported versions of Microsoft Outlook, Microsoft Outlook Express,
and Windows Mail open HTML e-mail messages in the Restricted sites
zone, removing the risk of an attacker being able to use this
vulnerability to execute malicious code. The Restricted sites zone
helps mitigate attacks that could try to exploit this vulnerability
by preventing Active Scripting and ActiveX controls from being used
when reading HTML e-mail messages. However, if a user clicks a link
in an e-mail message, the user could still be vulnerable to
exploitation of this vulnerability through the Web-based attack
scenario. Additionally, Outlook 2007 uses a different component to
render HTML e-mail, removing the risk of this exploit.
Affected and Non-Affected Software
The security advisory discusses the following
software.
|
Affected Software
|
|
Microsoft
Windows 2000 Service Pack 4
|
|
Windows
XP Service Pack 2 and Windows XP Service Pack 3
|
|
Windows
XP Professional x64 Edition Service Pack 2
|
|
Windows
Server 2003 Service Pack 2
|
|
Windows
Server 2003 x64 Edition Service Pack 2
|
|
Windows
Server 2003 with SP2 for Itanium-based Systems
|
|
Windows
Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack
2
|
|
Windows
Vista x64 Edition , Windows Vista x64 Edition Service Pack 1, and
Windows Vista x64 Edition and Service Pack 2
|
|
Windows
Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit
Systems Service Pack 2
|
|
Windows
Server 2008 for x64-based Systems and Windows Server 2008 for
x64-based Systems Service Pack 2
|
|
Windows
Server 2008 for Itanium-based Systems and Windows Server 2008 for
Itanium-based Systems Service Pack 2
|
|
Internet
Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
|
|
Internet
Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack
3, and Windows XP Professional x64 Edition Service Pack 2
|
|
Internet
Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server
2003 with SP2 for Itanium-based Systems, and Windows Server 2003
x64 Edition Service Pack 2
|
|
Internet
Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack
3, and Windows XP Professional x64 Edition Service Pack 2
|
|
Internet
Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server
2003 with SP2 for Itanium-based Systems, and Windows Server 2003
x64 Edition Service Pack 2
|
|
Internet
Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows
Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition
Service Pack 1, and Windows Vista x64 Edition Service Pack 2
|
|
Internet
Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows
Server 2008 for 32-bit Systems Service Pack 2
|
|
Internet
Explorer 7 in Windows Server 2008 for Itanium-based Systems and
Windows Server 2008 for Itanium-based Systems Service Pack 2
|
|
Internet
Explorer 7 in Windows Server 2008 for x64-based Systems and Windows
Server 2008 for x64-based Systems Service Pack 2
|
|
Non-Affected Software
|
|
Windows
7 for 32-bit Systems
|
|
Windows
7 for x64-based Systems
|
|
Windows
Server 2008 R2 for x64-based Systems
|
|
Windows
Server 2008 R2 for Itanium-based Systems
|
|
Internet
Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack
4
|
|
Internet
Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack
3, and Windows XP Professional x64 Edition Service Pack 2
|
|
Internet
Explorer 8 for Windows Server 2003 Service Pack 2 and Windows
Server 2003 x64 Edition Service Pack 2
|
|
Internet
Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows
Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64
Edition Service Pack 1, and Windows Vista x64 Edition Service Pack
2
|
|
Internet
Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows
Server 2008 for 32-bit Systems Service Pack 2
|
|
Internet
Explorer 8 in Windows Server 2008 for x64-based Systems and Windows
Server 2008 for x64-based Systems Service Pack 2
|
|
Internet
Explorer 8 in Windows 7 for 32-bit Systems
|
|
Internet
Explorer 8 in Windows 7 for x64-based Systems
|
|
Internet
Explorer 8 in Windows Server 2008 R2 for x64-based Systems
|
|
Internet
Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
|
Review
Microsoft Security Advisory 981374 for an overview of the issue,
details on affected components, mitigating factors, workarounds,
suggested actions, frequently asked questions (FAQs), and links to
additional resources.
Customers
who believe they are affected can contact Customer Service and
Support (CSS) in North America for help with security update issues
or viruses at no charge using the PC Safety line (866) PCSAFETY.
International customers can contact Customer Service and Support by
using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
·
Microsoft Security Advisory 981374 - Vulnerability in
Internet Explorer Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/981374.mspx
·
Microsoft
Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
·
Microsoft
Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
·
Microsoft
Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
Regarding Information Consistency
We strive to provide you with accurate information in
static (this mail) and dynamic (Web-based) content. Microsoft's
security content posted to the Web is occasionally updated to reflect
late-breaking information. If this results in an inconsistency between
the information here and the information in Microsoft's Web-based
security content, the information in Microsoft's Web-based security
content is authoritative.
Thank you,
Microsoft CSS Security Team
Microsoft respects your privacy. Please read our
online Privacy Statement.
If you would prefer not to receive future promotional emails from
Microsoft Corporation please click here to
unsubscribe. These settings will not affect any newsletters you've
requested or any mandatory service communications that are considered
part of certain Microsoft services.
To set your contact preferences for Microsoft newsletters, see the
communications preferences section of the Microsoft Privacy
Statement.
Microsoft Corporation (India) Pvt.
Ltd.
9th Floor, Tower A, DLF Cyber Greens, DLF Cyber
Citi, Sector 25A
Gurgaon, Haryana, 122 002, INDIA
|
