SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer HTTP Request Header Bug May Let Remote Users Obtain Information in a Different Domain
SecurityTracker Alert ID:  1020226
SecurityTracker URL:  http://securitytracker.com/id/1020226
CVE Reference:   CVE-2008-1544   (Links to External Site)
Updated:  Jun 14 2008
Original Entry Date:  Jun 10 2008
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.01, 6, 6 SP1, 7
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can obtain potentially sensitive information.

A remote user can create a specially crafted HTTP request header that, when loaded by the target user, will bypass the same-origin policy and access information from the target user's system in the context of the target domain.

Stefano Di Paola of Minded Security reported this vulnerability.

The original advisory is available at:

http://www.mindedsecurity.com/MSA02240108.html

Impact:   A remote user can create HTML that, when loaded by the target user, will obtain information from the target user's system.
Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4, Microsoft Internet Explorer 5.01 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=88990B23-D37F-4D02-A5A3-2EE389ADE53C

Microsoft Windows 2000 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4C47CF8A-8100-4D43-855A-F225A3492B19

Windows XP Service Pack 2 , Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CC325017-3A48-4475-90E4-0C79A002FCE3

Windows XP Service Pack 3, Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CC325017-3A48-4475-90E4-0C79A002FCE3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C8783CFE-9DA5-4842-AB3A-1E2BE4FAFC47

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=286AADA6-A358-41F1-B81A-8DE39B9F908A

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6604569A-3DB0-47E7-BD30-7DFBA8145386

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, Microsoft Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0262BEB8-1EB5-4C2D-A50A-0C6C6E0C1F61

Windows XP Service Pack 2 and Windows XP Service Pack 3, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=FBC31BDE-0BF5-490C-96A8-071310D9464A

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=19C0CCDC-95C9-4151-96B6-4F49B594EBE0

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A1AE9AD2-8329-4C96-B950-7534B3287EAA

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=FB0C70B4-CE9F-43D6-875A-3CFD0D3A2681

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=28D2913C-1C6B-4671-9892-DE08698CD5A6

Windows Vista and Windows Vista Service Pack 1, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6D68B39D-157F-4C3D-AC76-BC5A9386DB59

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4CF92235-861E-4B74-BEE3-8E977C8688D9

Windows Server 2008 for 32-bit Systems*, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A8922E7E-9264-4E09-B8AD-C5420FED8690

Windows Server 2008 for x64-based Systems*, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=05B0E838-24D7-4387-B069-2604BBCC43B9

Windows Server 2008 for Itanium-based Systems, Windows Internet Explorer 7:

http://www.microsoft.com/downloads/details.aspx?FamilyId=640E1865-EBCC-4D69-A770-FD360020DA1E

* = Windows Server 2008 is not affected if installed using the Server Core installation option.

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx

On June 14, 2008 (UTC), Microsoft issued an advisory warning that the System Center Configuration Manager 2007 may fail to deploy these updates to Systems Management Services (SMS) 2003 clients:

http://www.microsoft.com/technet/security/advisory/954474.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms08-031.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (2000), Windows (2003), Windows (2008), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Tue, 10 Jun 2008 14:36:24 -0400
Subject:  Microsoft Security Bulletin MS08-031 - Critical: Cumulative Security Update for Internet Explorer (950759)


http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx

CVE-2008-1442
CVE-2008-1544
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC