US-CERT Technical Cyber Security Alert TA08-352A -- Microsoft Internet Explorer Data Binding Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA08-352A


Microsoft Internet Explorer Data Binding Vulnerability

Original release date: December 17, 2008
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Internet Explorer
* Microsoft Outlook Express
* Other software that uses Internet Explorer components to render documents


Overview

Microsoft Internet Explorer contains an invalid pointer
vulnerability in its data binding code, which can allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable
system. Exploit code for this vulnerability is publicly available
and is being actively exploited.


I. Description

Microsoft Internet Explorer contains an invalid pointer
vulnerability in its data binding code. When Internet Explorer
renders a document that performs data binding, it may crash in a
way that is exploitable to run arbitrary code. Any program that
uses Internet Explorer's MSHTML layout engine, such as Outlook
Express, may be at risk. Further details are available in US-CERT
Vulnerability Note VU#493881.


II. Impact

By convincing a user to view a specially crafted document that
performs data binding (e.g., a web page or email message or
attachment), an attacker may be able to execute arbitrary code with
the privileges of the user.


III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS08-078.
This update provides new versions of mshtml.dll and wmshtml.dll,
depending on the target operating system. More details are
available in Microsoft Knowledge Base Article 960714.

Disable Active Scripting This vulnerability can be mitigated by
disabling Active Scripting in the Internet Zone, as specified in
the Securing Your Web Browser document. Note that this will not
block the vulnerability. IE still may crash when parsing specially
crafted content. Disabling Active Scripting will mitigate a common
method used to achieve code execution with this vulnerability.
Enable DEP in Internet Explorer 7 Enabling DEP in Internet
Explorer 7 on Windows Vista can help mitigate this vulnerability by
making it more difficult to achieve code execution using this
vulnerability.

Additional workarounds

Microsoft Security Bulletin MS08-078 provides additional details
for the above workarounds, as well as other workarounds not listed
here. These workarounds are further explained in the Microsoft SWI
Blog.


IV. References

* Microsoft Security Bulletin MS08-078 -
<https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>

* MS08-078: Security update for Internet Explorer -
<http://support.microsoft.com/kb/960714>

* Microsoft Security Advisory (961051) -
<http://www.microsoft.com/technet/security/advisory/961051.mspx>

* Update on Internet Explorer 7, DEP and Adobe Software -
<http://blogs.msdn.com/michael_howard/archive/2006/12/12/update-on-internet-explorer-7-dep-and-adobe-software.aspx>

* Data Binding -
<http://msdn.microsoft.com/en-us/library/ms531388(vs.85).aspx>

* MSHTML Reference -
<http://msdn.microsoft.com/en-us/library/aa741317.aspx>

* US-CERT Vulnerability Note VU#493881 -
<http://www.kb.cert.org/vuls/id/493881>

* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-352A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA08-352A Feedback VU#493881" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

December 17, 2008: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSUloq3IHljM+H4irAQJ5WggAilfQXBGc2UPVScZTIA81uf0dloPwzgJF
xM5M5r0a5j8Km5g5mHdhzqs4Ni1DY0enftvm6JeagUmOzVPzOGemqXxTeAx/G6ZD
ttW687bsX9OdDJ2cmq6EixRwgVPR6kVnSK5s/MLw8yYWg7RS0lY0Mrc42QUL2GXR
KKBb3redelGZ6Szm5PKOcumYSP9bsQtxOqGZUx+d3l9cDeIDPn3c2aHFSkPP5mGr
LyEEqXw5+ifpx6v1gGyRyFOtFHP2QBSOOrnt05S0KTuoBJQ9QtyC9TEyGVwWjeq8
68BuGiOakwNdsjpFLLjW4W34N3oXnGFKh6jXAi4KW3d9wcIidZj0+w==
=T3zy
-----END PGP SIGNATURE-----



Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS06-021)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Improper memory and user input handling with Internet Explorer allows ... A remote code execution vulnerability exists in the way Internet Explorer ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS06-013)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Microsoft Internet Explorer allow attackers to execute arbitrary code, ... A remote code execution vulnerability exists in the way Internet Explorer ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS05-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A buffer overflow vulnerability within Internet Explorer allows attackers ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update For Internet Explorer (MS04-004)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... previously-released updates for Internet Explorer 5.01, ... vulnerability could result in the execution of a script in the Local ...
    (Securiteam)