This alert is to notify you that Microsoft has released Security Advisory 977981 - Vulnerability in Internet Explorer Could Allow Remote Code Execution - on November 23, 2009.
SUMMARY  Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, and Windows Internet Explorer 8 on all supported versions of Microsoft Windows are not affected. Windows Internet Explorer 6 Service Pack 2 and Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008 are affected. The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. This can cause Internet Explorer to exit unexpectedly, creating a state that is exploitable. At this time, we are aware of no attacks that attempt to use this vulnerability against Windows Internet Explorer 6 Service Pack 2 and Windows Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. MITIGATING FACTORS . Internet Explorer 8 is not affected. . Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability. . By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 run in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. . An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. . By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. AFFECTED SOFTWARE The security advisory discusses the following software. Affected Software | Windows XP Service Pack 2 | Windows XP Service Pack 3 | Windows XP Professional x64 Edition Service Pack 2 | Windows Server 2003 Service Pack 2 | Windows Server 2003 x64 Edition Service Pack 2 | Windows Server 2003 with SP2 for Itanium-based Systems | Windows Vista | Windows Vista Service Pack 1 and Service Pack 2 | Windows Vista x64 Edition | Windows Vista x64 Edition Service Pack 1 and Service Pack 2 | Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2 | Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 | Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 7 in Windows Vista and Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Non-Affected Software | Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4 | Internet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 8 in Windows Vista and Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Internet Explorer 8 in Windows 7 | Internet Explorer 8 in Windows 7 x64 Edition | Internet Explorer 8 in Windows Server 2008 R2 for 32-bit Systems | Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems | Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems |
|
RECOMMENDATIONS Review Microsoft Security Advisory 977981 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources. Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
ADDITIONAL RESOURCES REGARDING INFORMATION CONSISTENCY We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's Web-based security content, the information in Microsoft's Web-based security content is authoritative. Thank you, Microsoft CSS Security Team
| 
0 comments:
Post a Comment