MS-ISAC ADVISORY NUMBER:
2009-079

DATE(S) ISSUED:
11/23/2009

SUBJECT:
Vulnerability in Microsoft Internet Explorer Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. At this point in time, no patches are available for this vulnerability. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks may cause denial-of-service conditions.

SYSTEMS AFFECTED:

  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 7.0

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been identified in Microsoft Internet Explorer that could allow remote code execution which is caused by a buffer-overflow condition due to a malformed record value. This vulnerability can be triggered by opening a specially crafted web page or by clicking on a link in an email. The vulnerability is related to the handling of the 'Style' HTML tag when accessed via the 'document.getElementsByTagName' Javascript function. The vulnerability allows the attacker to corrupt memory and influence a dangling function pointer in the Microsoft HTML viewer.

Successful exploitation could allow an attacker to execute arbitrary code on the affected system. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Failed exploitation could result in denial-of-service conditions.

Please note: Exploit code has been published and is publically available. We have confirmed in our lab that the current exploit code causes a denial of service condition.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Consider disabling Active Scripting until a vendor patch is applied.
  • Consider upgrading to Microsoft Internet Explorer 8.
  • If your organization has deployed alternate browsers, recommend staff utilize an alternate browser not currently vulnerable to this attack.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing..
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • If you believe you have been affected by targeted attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/37085(New Window)

SANS:
http://isc.sans.org/diary.html?storyid=7624(New Window)

Vupen:
http://www.vupen.com/english/advisories/2009/3301(New Window)

Secunia:
http://secunia.com/advisories/37448/(New Window)

Computerworld:
http://www.computerworld.com/s/article/9141278/New_attack_fells_Internet_Explorer(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.