Out of Band Microsoft Security Advisory - Vulnerability in Internet Explorer Could Allow Remote Code Execution
Number: AV10-009
Date: 30 March 2010
Purpose
The purpose of this advisory is to bring attention to an out-of-band Microsoft security advisory to address both publicly and privately reported vulnerabilities in Internet Explorer.
Assessment
Microsoft has released the following security bulletins:
MS10-018 - Critical - Cumulative Security Update for Internet Explorer (980182)
Details: This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, and Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. For Internet Explorer 6 on Windows servers, this update is rated Important. And for Internet Explorer 8 on Windows servers, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 981374. The vulnerability, CVE-2010-0806, does not affect Windows 7, Windows Server 2008 R2, or Internet Explorer 8.
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: All supported versions of Internet Explorer on supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-0267, CVE-2010-0488, CVE-2010-0489, CVE-2010-0490, CVE-2010-0491, CVE-2010-0492, CVE-2010-0494, CVE-2010-0805, CVE-2010-0806, and CVE-2010-0807.
Suggested action
CCIRC recommends that administrators test and deploy these updates at the earliest opportunity.
Microsoft's recommendation: The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.
References:
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
http://www.microsoft.com/technet/security/bulletin/MS10-mar.mspx
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca