[Important] - ITSS-Advisory : Microsoft : Internet Explorer - IT Security Notification
To Users and administrators of systems with Internet Explorer installed ITSS-Advisory : Medium : Microsoft : UPDATED ALERT Internet Explorer
It would be appreciated if this information can be communicated to students and staff through appropriate means, such as notice boards or linked through web information services.
The web address of this article is: [http://www.infodiv.unimelb.edu.au/it-security 04-11-2009-02.html]
THREAT LEVEL
============
Medium
INFORMATION
===========
Product: Internet Explorer
Publisher: Microsoft
Resolution: Patch/Upgrade
AFFECTED PLATFORMS
==================
Operating System: Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
IMPACT
======
Microsoft have released an update to MS09-054 to correct a number of issues that occur after applying the original patch. Users who have installed the original patch will need to apply the latest update available from:
[http://support.microsoft.com/kb/976749]
Revision History:
November 3 2009: Added a comment on the required update to the original patch
October 14 2009: Initial Release Relevant vulnerable releases:
Internet Explorer 5.01 Service Pack 4 when installed on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2 and Windows XP Service Pack 3
Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2
Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3
Internet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2
Internet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Internet Explorer 7 in Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3
Internet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2
Internet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service
Pack 2
Internet Explorer 8 in Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
32-bit Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008
for x64-based Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems (Windows Server 2008 R2 Server Core installation not affected)
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
Vulnerability Information
=========================
Data Stream Header Corruption Vulnerability - CVE-2009-1547
A remote code execution vulnerability exists in the way that Internet Explorer processes data stream headers in specific situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page.
When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
HTML Component Handling Vulnerability - CVE-2009-2529
A remote code execution vulnerability exists in the way that Internet Explorer handles argument validation of a variable in specific situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Uninitialized Memory Corruption Vulnerability - CVE-2009-2530
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Uninitialized Memory Corruption Vulnerability - CVE-2009-2531
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MITIGATION
==========
Users who have installed the original patch will need to apply the latest update available from:
[http://support.microsoft.com/kb/976749]
Or via Microsoft Windows update
REFERENCES
=========
Original Bulletin:
[http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx]
announced at 04/11/2009
|
top of page
![The University of Melbourne [logo]](/template-assets-custom/images/custom_logo_crest_comb.gif){kind=logo}
