|
| |
|
Security Intelligence Operations
Microsoft Internet Explorer HTML Element Cross-Domain Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Exploit Host or Network Trust: Exploit System Trust |
|
| IntelliShield ID: | 16829 |
| Version: | 1 |
| First Published: | October 14, 2008 02:14 PM EDT |
| Last Published: | October 14, 2008 02:14 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-3472 |
| BugTraq ID: | 31615 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
| CVSS Base: | 9.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 6.9 |
|
|
| |
| Version Summary: | Microsoft Internet Explorer contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information or execute arbitrary code. Updated software is available. |
| |
| |
| Description |
|
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to bypass cross-domain security restrictions.
The vulnerability exists due to insufficient cross-domain security restrictions when handling certain HTML elements. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a malicious website. An exploit could allow the attacker to execute arbitrary code on systems with Internet Explorer 6 SP1 and prior or disclose information on systems with Internet Explorer 7.
Microsoft has confirmed this vulnerability and released updated software. |
| |
| Warning Indicators |
|
Microsoft Internet Explorer versions 6.0 SP1 and prior and Internet Explorer 7.0 are vulnerable on the following operating systems:
- Windows 2000 SP4 and prior
- Windows XP SP3 and prior
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 for Itanium-based Systems SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
|
| |
| IntelliShield Analysis |
|
Attackers cannot directly exploit this vulnerability and instead rely on user interaction. An attacker must convince a user to visit a malicious website, likely by providing a URL in an e-mail message to a user. If successful, the attacker could execute arbitrary code with the privileges of the user or disclose sensitive information, depending on the version of Internet Explorer and the operating system.
Microsoft rates this vulnerability as Critical only for Internet Explorer versions 6.0 SP1 and prior when they are running on Windows 2000 SP4 and prior. An exploit on other systems and application versions could only allow an attacker to access sensitive information because those systems have higher default security configurations. Windows Server 2003 and Windows Server 2008 systems running Internet Explorer are also at a reduced risk for exploitation because of the Enhanced Security Configuration mode. The Enhanced Security Configuration mode sets the Internet security level to High by default, reducing the impact for web pages that are not yet included in the trusted sites zone. Systems that are running Windows XP SP2 or later may also be at a reduced risk due to the Local Machine zone lockdown security enhancement. This enhancement may help mitigate this vulnerability if an attacker targets the Local Machine security zone.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the October 2008 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for October 2008
Microsoft has corrected this vulnerability by enforcing cross-domain security policy properly when executing scripts. |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-058 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code on systems with Internet Explorer 6 SP1 and prior and disclose information on systems with Internet Explorer 7. |
| |
| Technical Information |
|
The vulnerability exists because Internet Explorer does not properly enforce cross-domain security policy on HTML elements when executing scripts. Internet Explorer may allow scripts from the Internet Security Zone to access resources in other security domains. As a result, those scripts could access information from external domains, possibly allowing an attacker to execute arbitrary code or access sensitive browser-based information.
An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a malicious website. The attacker could execute scripts from the malicious domain that could allow the attacker to execute arbitrary code on the system or access sensitive information from another domain, such as cookie-based authentication information, or to monitor user input to that trusted site. Remote code execution is limited to Internet Explorer versions 6 SP1 and prior on Windows 2000 systems. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate updates.
Administrators may consider configuring Internet Explorer to prompt users before running ActiveX controls and Active Scripting by setting the Internet and Local Intranet security zone settings to High. Alternately, administrators could disable ActiveX and Active Scripting in these security zones.
Users are advised to add trusted sites to the Internet Explorer Trusted sites zone.
Users are advised not to open e-mail from untrusted sources and may consider reading e-mail in plain text format.
Users are advised not to follow unsolicited links. Users should verify the authenticity of an unexpected link from a trusted source prior to following it.
Users are advised to run applications with the least necessary privileges.
Users may consider using an alternate browser that does not support ActiveX controls. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
|
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
