|
Microsoft Security Advisory (979352)Vulnerability in Internet Explorer Could Allow Remote Code ExecutionPublished: January 14, 2010 | Updated: January 15, 2010 Version: 1.1 Executive SummaryMicrosoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable. The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if the situation changes. On completion of this investigation, Microsoft will take appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update. We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home. Mitigating Factors: | • | Data Execution Protection (DEP) is enabled by default in Internet Explorer 8 on the following Windows operating systems: Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. | | • | Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability. | | • | In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site. | | • | An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. | | • | By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. | | • | By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. |
Issue ReferencesAffected and Non-Affected SoftwareThis advisory discusses the following software. Microsoft Windows 2000 Service Pack 4 | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Windows XP Professional x64 Edition Service Pack 2 | Windows Server 2003 Service Pack 2 | Windows Server 2003 x64 Edition Service Pack 2 | Windows Server 2003 with SP2 for Itanium-based Systems | Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 | Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 | Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2 | Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Windows 7 | Windows 7 for x64-based Systems | Windows Server 2008 R2 for x64-based Systems | Windows Server 2008 R2 for Itanium-based Systems | Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 | Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 | Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Internet Explorer 8 in Windows 7 for 32-bit Systems | Internet Explorer 8 in Windows 7 for x64-based Systems | Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems | Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems | Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4 |
| Frequently Asked Questions |
What is the scope of the advisory?
Microsoft is aware of a new vulnerability that affects Internet Explorer. The vulnerability in Internet Explorer affects the software that is listed in the Overview section. Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs. How could an attacker exploit this vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. Which of the workarounds should I apply to my system in order to be protected?
Based on our investigation, setting the Internet zone security setting to High will protect users from the issue described in this advisory. How does configuring the Internet zone security setting to High protect me from this vulnerability?
Setting the Internet zone security setting to High protects against this vulnerability by disabling scripting, disabling less secure features in Internet Explorer, and blocking known techniques used to bypass Data Execution Prevention (DEP). How does Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems protect me from this vulnerability?
Internet Explorer in Windows Vista and later Windows operating systems runs in Protected Mode by default in the Internet security zone. (Protected Mode is off by default in the Intranet zone.) Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the user’s machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista which restrict access to processes, files, and registry keys with higher integrity levels. What is Data Execution Prevention (DEP)?
Data Execution Prevention support is included in Internet Explorer, and although on by default for Internet Explorer 8, is off by default for earlier versions of Internet Explorer. DEP is designed to help foil attacks by preventing code from running in memory that is marked non-executable. For more information about DEP in Internet Explorer, please see the MSDN blog post, IE8 Security Part I: DEP/NX Memory Protection. | • | Protect Your PC We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your PC Web site. | | • | For more information about staying safe on the Internet, customers should visit Microsoft Security Central. |
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. | Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones |
You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High. To raise the browsing security level in Internet Explorer, follow these steps: 1. | On the Internet Explorer Tools menu, click Internet Options. | 2. | In the Internet Options dialog box, click the Security tab, and then click the Internet icon. | 3. | Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. |
Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High. Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone". Add sites that you trust to the Internet Explorer Trusted sites zone After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. | Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone |
You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps: 1. | In Internet Explorer, click Internet Options on the Tools menu. | 2. | Click the Security tab. | 3. | Click Internet, and then click Custom Level. | 4. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 5. | Click Local intranet, and then click Custom Level. | 6. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 7. | Click OK two times to return to Internet Explorer. |
Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly. Impact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone". Add sites that you trust to the Internet Explorer Trusted sites zone After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. | Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7 |
This vulnerability is more difficult to exploit successfully if Data Execution Protection (DEP) is enabled for Internet Explorer. You can enable DEP for all versions of Internet Explorer that support DEP, using one of the following methods: | • | Enable DEP for Internet Explorer 7 interactively |
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click Advanced. | 2. | Click Enable memory protection to help mitigate online attacks. |
| • | Enable DEP for Internet Explorer via automated Microsoft Fix It |
See Microsoft Knowledge Base Article 979352 to use the automated Microsoft Fix it solution to enable or disable this workaround. Impact of workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel. Acknowledgments
Microsoft thanks the following companies for working with us and for providing details of the attack:
Microsoft Active Protections Program (MAPP)To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners. FeedbackSupport| • | Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support. | | • | International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support. | | • | Microsoft TechNet Security provides additional information about security in Microsoft products. |
DisclaimerThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions| • | V1.0 (January 14, 2010): Advisory published | | • | V1.1 (January 15, 2010): Revised Executive Summary to reflect investigation of limited targeted attacks. Added Data Execution Protection (DEP) information to Mitigating Factors section. Updated "How does configuring the Internet zone security setting to High protect me from this vulnerability?" in the Frequently Asked Questions section.
|
|