Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Invalid Pointer Reference Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1023462 |
|
SecurityTracker URL: http://securitytracker.com/id/1023462
|
|
CVE Reference:
CVE-2010-0249
(Links to External Site)
|
Updated: Jan 21 2010
|
Original Entry Date: Jan 14 2010
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 6, 6 SP1, 7, 8
|
Description:
A vulnerability was reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid pointer reference and execute arbitrary code on the target system when the referenced (and deleted) object is accessed by the browser. The code will run with the privileges of the target user.
The vendor indicates that Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4 is not affected.
This vulnerability is being actively exploited.
Demonstration code is publicly available.
Google, MANDIANT, Adobe, and McAfee reported this vulnerability.
[Editor's note: On Monday January 18, 2010 (UTC), Microsoft issued a blog post noting that attacks have been limited to a targeted subset of their customers and that the attacks have been against IE version 6: http://blogs.technet.com/msrc/archive/2010/01/17/further-insight-into-security-advisory-979352-and-the-threat-landscape.aspx]
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued the following fixes:
Microsoft Windows 2000 Service Pack 4, Internet Explorer 5.01 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=51e99e4f-1670-4b12-a9fe-e0ccf50cdabc
Microsoft Windows 2000 Service Pack 4 , Internet Explorer 6 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=a38aa9d0-c3fe-4d41-8805-7d5370263c1b
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=207eecad-6e84-48e6-ae18-6794a3618ee0
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=eb2d8055-4d50-4f83-82b8-055c7b8f5422
Windows Server 2003 Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=fea91227-44ad-4549-8732-497a8ceff870
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=633e63f4-605b-43c4-8a4b-2730312a1c72
Windows Server 2003 with SP2 for Itanium-based Systems, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=b9308d50-ca66-43ff-9dc5-d05c90baa764
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=3510c7d8-7e8f-479e-b6f9-5745a845664d
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=cc5aea0b-e553-4f7f-a2cc-cba41bb87ae7
Windows Server 2003 Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=14726445-3ff4-463c-9fc1-c9b758079aca
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=c8742230-16d8-4b2f-bd3e-8834c759856b
Windows Server 2003 with SP2 for Itanium-based Systems, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=5622f223-df9c-4a6a-bdf0-feebaf9920fd
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=92495551-dedd-43d4-bb3a-51028bc5c6d6
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=3cb139b3-59f4-44ef-9911-4dd4e3b83e7d
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=8c4c91ec-1b2b-4176-bd77-45245b590329
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=4f9975b8-3f91-4116-9200-ef55ece75854
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=9395547f-b620-4cbd-9ff5-11b76cd73859
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=7c2948fb-f486-4801-bc21-bbf40d5a78c2
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=41b83fad-948b-4a9c-80ed-9c5a60bd35b4
Windows Server 2003 Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=7d480c87-2ca9-4505-a59d-a6d73d001fa5
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=3e2e740b-8417-4758-8468-15221249ec71
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=5e2cbd7d-f64f-49e5-a159-1965ebfe2a92
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=b7a7e8e7-f4c5-459d-ab6c-05a192e1e3f9
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=f5ce8582-af63-4870-bee3-0abeeefa1458
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=be11981c-d286-4e3c-94bf-d4e67a975d5a
Windows 7 for 32-bit Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=278443c1-15dc-436b-893b-ffea6d29d16d
Windows 7 for x64-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=a584cd0f-2e05-4e36-8858-0ffead637162
Windows Server 2008 R2 for x64-based Systems**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=d3386793-a594-4bc5-8308-28b561d43087
Windows Server 2008 R2 for Itanium-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=9d137bab-8312-4240-af74-c65ba652fde0
A restart is required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms10-002.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (2000), Windows (2003), Windows (2008), Windows (7), Windows (Vista), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 14 Jan 2010 22:39:50 +0000
Subject: Microsoft Internet Explorer (IE)
|
http://www.microsoft.com/technet/security/advisory/979352.mspx
CVE-2010-0249
|
|
Go to the Top of This SecurityTracker Archive Page
|
