Microsoft Internet Explorer Cross-Site Scripting Filter Can Be Bypassed
|
|
SecurityTracker Alert ID: 1023494 |
|
SecurityTracker URL: http://securitytracker.com/id/1023494
|
|
CVE Reference:
CVE-2009-4074
(Links to External Site)
|
Date: Jan 21 2010
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8
|
Description:
A vulnerability was reported in Microsoft Internet Explorer. A remote user can bypass the cross-site scripting filter.
A remote user can create a specially crafted URL that, when loaded by a target user, will bypass the cross-site scripting filter.
Only Internet Explorer version 8 is affected.
David Lindsay "thornmaker" and Eduardo A. Vela Nava "sirdarckcat" reported this vulnerability.
|
Impact:
A remote user can bypass the cross-site scripting filter.
|
Solution:
The vendor has issued the following fixes as part of a cumulative update for Internet Explorer.
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=7c2948fb-f486-4801-bc21-bbf40d5a78c2
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=41b83fad-948b-4a9c-80ed-9c5a60bd35b4
Windows Server 2003 Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=7d480c87-2ca9-4505-a59d-a6d73d001fa5
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=3e2e740b-8417-4758-8468-15221249ec71
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=5e2cbd7d-f64f-49e5-a159-1965ebfe2a92
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=b7a7e8e7-f4c5-459d-ab6c-05a192e1e3f9
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=f5ce8582-af63-4870-bee3-0abeeefa1458
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=be11981c-d286-4e3c-94bf-d4e67a975d5a
Windows 7 for 32-bit Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=278443c1-15dc-436b-893b-ffea6d29d16d
Windows 7 for x64-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=a584cd0f-2e05-4e36-8858-0ffead637162
Windows Server 2008 R2 for x64-based Systems**, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=d3386793-a594-4bc5-8308-28b561d43087
Windows Server 2008 R2 for Itanium-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=9d137bab-8312-4240-af74-c65ba652fde0
A restart is required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms10-002.mspx (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 21 Jan 2010 18:18:07 +0000
Subject: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
|
Microsoft Security Bulletin MS10-002 - Critical: Cumulative Security Update for Internet Explorer (978207)
CVE-2009-4074
|
|
