---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Microsoft Internet Explorer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34678 VERIFY ADVISORY: http://secunia.com/advisories/34678/ DESCRIPTION: Some vulnerabilities have been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. 1) An error in WinINet can be exploited to reflect NTLM credentials and execute arbitrary code. This is related to vulnerability #3 in: SA34677 2) An unspecified error when handling transition errors while navigating between web pages can be exploited to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code. 3) An unspecified error when accessing a deleted or improperly initialised object can be exploited to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code. 4) Another unspecified error when accessing a deleted or improperly initialised object can be exploited to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code. 5) A third unspecified error when accessing a deleted or improperly initialised object can be exploited to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code. SOLUTION: Apply patches. Windows 2000 SP4 with Internet Explorer 5.01 SP4: http://www.microsoft.com/downloads/details.aspx?familyid=7799fd05-5b26-449f-8a14-50227c9164d1 Windows 2000 SP4 with Internet Explorer 6 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=87f0c380-5c31-4099-a6a9-c12f9d69b03b Windows XP SP2/SP3 with Internet Explorer 6: http://www.microsoft.com/downloads/details.aspx?familyid=052c29fc-e8df-402c-9ab1-1079bc738e1b Windows XP Professional x64 Edition (optionally with SP2) with Internet Explorer 6: http://www.microsoft.com/downloads/details.aspx?familyid=84c62211-2e82-4ccc-9f9b-26462b026d86 Windows Server 2003 SP1/SP2 with Internet Explorer 6: http://www.microsoft.com/downloads/details.aspx?familyid=f73a3669-c17f-4b18-8456-96cb7d52ed86 Windows Server 2003 x64 Edition (optionally with SP2) with Internet Explorer 6: http://www.microsoft.com/downloads/details.aspx?familyid=03a9d581-2bd5-4151-9826-17b96e16f606 Windows Server 2003 with SP1/SP2 for Itanium-based Systems with Internet Explorer 6: http://www.microsoft.com/downloads/details.aspx?familyid=53d13c07-80b0-4f05-b372-a2dac17e6157 Windows XP SP2/SP3 with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=55d6729a-9f96-4da4-b564-676c0a0c9390 Windows XP Professional x64 Edition (optionally with SP2) with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=191c2f20-89ae-4e1c-bdd4-24b4abfe6b6c Windows Server 2003 SP1/SP2 with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=6a45dbd0-0520-4d9b-b76e-3f5109dd310d Windows Server 2003 x64 Edition (optionally with SP2) with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=60ccc1d6-ea31-420c-b630-d7878a8dc527 Windows Server 2003 with SP1/SP2 for Itanium-based Systems with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=0abaa2fb-7c4f-4149-993d-1575888bfc84 Windows Vista (optionally with SP1) with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=d743849d-f3b5-4114-adef-ade2716d55ac Windows Vista x64 Edition (optionally with SP1) with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=d191c8dc-a965-4a6a-b6d8-1470505eb55f Windows Server 2008 for 32-bit Systems with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=e2c6313c-3ba9-4f7c-b259-b4582a390146 Windows Server 2008 for x64-based Systems with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=ebbade9d-704c-440b-8796-6d64225ac01a Windows Server 2008 for Itanium-based Systems with Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?familyid=1b04aa6f-b787-4122-bf82-0d150618fe7a PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits Michal Zalewski, Google. 3) The vendor credits Ivan Fratric, iSIGHT Partners Labs. 4) The vendor credits Skylined, Google. 5) The vendor credits ADLab, VenusTech. ORIGINAL ADVISORY: MS09-014 (KB963027): http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx OTHER REFERENCES: SA34677: http://secunia.com/advisories/34677/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------