CERT-MU Vulnerability Note VN-2009-20

Microsoft Internet Explorer Memory Corruption vulnerabilities

Original Issue Date: July 29, 2009

Severity Rating: High

Affected Softwares

• Windows 2000 SP4 and prior
• Windows XP SP3 and prior
• Windows XP Professional x64 Edition SP2 and prior
• Windows Server 2003 SP2 and prior
• Windows Server 2003 x64 Edition SP2 and prior
• Windows Server 2003 for Itanium-based Systems SP2 and prior
• Windows Vista SP2 and prior
• Windows Vista x64 Edition SP2 and prior
• Windows Server 2008 for 32-bit Systems SP2 and prior
• Windows Server 2008 for x64-based Systems SP2 and prior
• Windows Server 2008 for Itanium-based Systems SP2 and prior

Component Affected

• Internet Explorer 5.01 SP4 and prior
• Internet Explorer 6 SP2 and prior
• Internet Explorer 7
• Internet Explorer 8

Overview

Multiple vulnerabilities have been reported in Microsoft Active Template Library (ATL). Successful exploitation of these vulnerabilities could allow an attacker to execute an arbitrary code and take complete control of the affected system or cause the Information disclosure.

Overview

Multiple vulnerabilities have been reported in Microsoft Internet Explorer.

By convincing a user to view a specially crafted HTML document (e.g., a Web page, HTML email message, or HTML attachment), an attacker may be able to execute arbitrary code. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Description

• Memory Corruption Vulnerability (CVE-2009-1917)
  
  (CVE-2009-1917) This is a remote code vulnerability which exists due to invalid memory operations that may occur as the result of accessing deleted or uninitialized memory objects leads to memory corruption.
  
  
• HTML Objects Memory Corruption Vulnerability (CVE-2009-1918)
  
  This memory corruption vulnerability is due to improper handling of table operations in specific situation by Internet Explorer and leads to remote code execution.
  
  
• Uninitialized Memory Corruption Vulnerability (CVE-2009-1919)
  
  This is a remote code execution vulnerability that exists due to invalid operations on uninitialized memory objects. Internet Explorer may access removed or previously undefined memory objects as the result of processing malformed HTML content.
  
  Note:
  
  • This update replaces Microsoft Bulletin MS09-019
  • The vulnerabilities are the known attack vector for exploiting the Active Template Library (ATL) vulnerabilities described in MS09-035 and Microsoft Security Advisory 973822.

  Workarounds

  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  For detailed steps and impact of applying these workarounds refer to Microsoft Security bulletin MS09-034

  CVE Name

  CVE-2009-1917
  CVE-2009-1918
  CVE-2009-1919

  Disclaimer

  The information provided herein is on "as is" basis, without warranty of any kind.

  Vendor Information

  Microsoft
  http://www.microsoft.com/technet/security/Bulletin/MS09-34.mspx

  References

  Microsoft
  http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx
  http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer- mitigations-for-atl-data-stream-vulnerabilities.aspx
  http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
  http://www.microsoft.com/technet/security/advisory/973882.mspx
  
  CISCO
  http://tools.cisco.com/security/center/viewAlert.x?alertId=18721
  http://tools.cisco.com/security/center/viewAlert.x?alertId=18723
  http://tools.cisco.com/security/center/viewAlert.x?alertId=18724
  
  ISS XFORCE
  http://www.iss.net/threats/337.html
  http://xforce.iss.net/xforce/xfdb/52050
  http://xforce.iss.net/xforce/xfdb/52049