|
| |
|
Security Intelligence Operations
Microsoft Internet Explorer Event Handling Cross-Domain Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Exploit Host or Network Trust: Exploit System Trust |
|
| IntelliShield ID: | 16830 |
| Version: | 1 |
| First Published: | October 14, 2008 03:22 PM EDT |
| Last Published: | October 14, 2008 03:22 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-3473 |
| BugTraq ID: | 31616 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
| CVSS Base: | 9.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 6.9 |
|
|
| |
| Version Summary: | Microsoft Internet Explorer contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information or execute arbitrary code. Updated software is available. |
| |
| |
| Description |
|
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to bypass cross-domain security restrictions.
The vulnerability is due to insufficient cross-domain security restrictions when handling certain event handlers. An attacker could exploit the vulnerability by convincing a user to visit a malicious website. If successful, the attacker could execute arbitrary code on systems with Internet Explorer 6 SP1 and prior, or disclose information on systems with Internet Explorer 7.
Microsoft has confirmed this vulnerability and released updated software. |
| |
| Warning Indicators |
|
Microsoft Internet Explorer versions 6.0 SP1 and prior, and Internet Explorer 7.0 are vulnerable on the following operating systems:
- Windows 2000 SP4 and prior
- Windows XP SP3 and prior
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 for Itanium-based Systems SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
|
| |
| IntelliShield Analysis |
|
Attackers cannot directly exploit this vulnerability and must rely on user interaction. An attacker must convince a user to visit a malicious website, likely by providing a URL to a user within an e-mail message. If successful, the attacker could execute arbitrary code with the privileges of the user or disclose sensitive information, depending on the version of Internet Explorer and the operating system.
Microsoft rates this vulnerability as Critical only for Internet Explorer 6.0 SP1 and prior when running on Windows 2000 SP4 and prior. Other systems and application versions result in information disclosure as the result of higher default security configurations. Windows Server 2003 and Windows Server 2008 systems running Internet Explorer are also at a reduced risk for exploitation due to the Enhanced Security Configuration mode. The Enhanced Security Configuration mode sets the Internet security level to High by default, reducing the impact for web pages that are not yet included in the trusted sites zone. Systems running Windows XP SP2 or later may also be at a reduced risk due to the Local Machine zone lockdown security enhancement. This enhancement may help mitigate this vulnerability if an attacker targets the Local Machine security zone.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the October 2008 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for October 2008
Microsoft has corrected this vulnerability by correcting script identifiers, restricting interactions to source domains. |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-058 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code on systems with Internet Explorer 6 SP1 and prior and to disclose information on systems with Internet Explorer 7. |
| |
| Technical Information |
|
The vulnerability exists because Internet Explorer does not properly enforce cross-domain security policies on event handlers when executing scripts. As a result, events could bypass cross-domain security models and access resources in other security domains.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to visit a malicious website. The attacker could execute scripts from the website that could allow the attacker to execute arbitrary code on the system. The attacker could also access sensitive information contained within the trusted domain, such as cookie-based authentication information, or monitor user input to the trusted site. Remote code execution is limited to Internet Explorer 6 SP1 and prior on Windows 2000 systems because of higher default security settings on other platforms. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate updates.
Administrators may consider configuring Internet Explorer to prompt users before running ActiveX controls and Active Scripting by setting the Internet and Local Intranet security zone settings to High. Alternately, administrators could disable ActiveX and Active Scripting in these security zones.
Users are advised to add trusted sites to the Internet Explorer Trusted sites zone.
Users are advised not to open e-mail from untrusted sources and may consider reading e-mail in plain text format.
Users are advised not to follow unsolicited links. Users should verify the authenticity of an unexpected link from a trusted source prior to following it.
Users are advised to run applications with the least necessary privileges.
Users may consider using an alternate browser that does not support ActiveX controls. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
|
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
