Severity:  High

23 November 2009

Summary:

• Vulnerability Affects:  Internet Explorer 6 and 7.  NOTE Internet Explorer 8 is NOT affected
• How an attacker exploits them: something
• Impact:  Various results; in the worst case, an attacker executes code on your user's computer, potentially gaining full control of it
• What to do: No patch available yet for IE6/IE7 – best course of action is to upgrade to IE8

Exposure:

Affected Software

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition , Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition and Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
• Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
• Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
• Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
• Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
• Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Non-Affected Software

• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
• Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
• Internet Explorer 8 for Windows Server 2003 Service Pack 2 and Windows Server 2003 x64 Edition Service Pack 2
• Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Internet Explorer 8 in Windows 7 for 32-bit Systems
• Internet Explorer 8 in Windows 7 for x64-based Systems
• Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
• Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems

Vulnerability in Internet Explorer 6 and 7 (but not IE8), which can permit remote code execution.  Vulnerability was published to the Bugtraq security mailing list as exploit code by an unknown grey hat calling himself "K4mr4n_st" on Nov 20, 2009.  The exploit's author did not release any details about this IE vulnerability. However, researchers at Symantec have analyzed the exploit, and discovered that it leverages a heap buffer overflow flaw involving the way IE handles cascading style sheets (CSS).

From the Symantec Article:
The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future.  When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors.  For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Solution Path:

In IE6/7, Javascript can be disabled on public internet sites, as well as maintain current AV / IPS protection.
Recommended action is to upgrade to IE8 which is not affected by the vulnerability.

Status:

Microsoft has not released a patch for this issue at this time.

References:

• Symantec Blog Post 11/21/2009
• Security Focus Bug Post