Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Microsoft Internet Explorer
дополнено с 14 октября 2008 г.
Опубликовано:21 октября 2008 г.
Источник:
SecurityVulns ID:9361
Тип:удаленная
Уровень опасности:
7/10
Описание:Повреждения памяти, перехват информации, межсайтовый скриптинг.
Затронутые продукты:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
CVE:CVE-2008-3476 (Microsoft Internet Explorer 5.01 SP4 and 6 does not properly handle errors associated with access to uninitialized memory, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "HTML Objects Memory Corruption Vulnerability.")
 CVE-2008-3475 (Microsoft Internet Explorer 6 does not properly handle errors related to using the componentFromPoint method on xml objects that have been (1) incorrectly initialized or (2) deleted, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "Uninitialized Memory Corruption Vulnerability.")
 CVE-2008-3474 (Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy and obtain sensitive information via a crafted HTML document, aka "Cross-Domain Information Disclosure Vulnerability.")
 CVE-2008-3473 (Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy, and execute arbitrary code or obtain sensitive information, via a crafted HTML document, aka "Event Handling Cross-Domain Vulnerability.")
 CVE-2008-3472 (Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy, and execute arbitrary code or obtain sensitive information, via a crafted HTML document, aka "HTML Element Cross-Domain Vulnerability.")
 CVE-2008-2947 (Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 7 allows remote attackers to access restricted information from other domains via JavaScript that uses the Object data type for the value of a (1) location or (2) location.href property, related to incorrect determination of the origin of web script, aka "Window Location Property Cross-Domain Vulnerability." NOTE: according to Microsoft, CVE-2008-2948 and CVE-2008-2949 are duplicates of this issue, probably different attack vectors.)
Оригинальный текстdocumentsecurity_(at)_nruns.com, n.runs-SA-2008.008 - Internet Explorer HTML Object Memory Corruption and Remote Code Execution (21.10.2008)
 documentifsecure_(at)_gmail.com, Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution (16.10.2008)
 documentZDI, [Full-disclosure] ZDI-08-069: Microsoft Internet Explorer componentFromPoint Memory Corruption Vulnerability (15.10.2008)
 documentMICROSOFT, Microsoft Security Bulletin MS08-058 - Critical Cumulative Security Update for Internet Explorer (956390) (14.10.2008)
Файлы:Microsoft Security Bulletin MS08-058 - Critical Cumulative Security Update for Internet Explorer (956390)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород