Overview
A vulnerability in Internet Explorer may allow an attack to conduct remote code execution.
A vulnerability in Internet Explorer may allow an attack to conduct remote code execution. The vulnerability is in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, the attacker could exploited the vulnerability and take complete control of an affected system.
Attack VectorWebsite with malicious content
User Interactionuser interaction is needed
Vendor StatusResponded and patched
Vulnerable Systems
Internet Explorer
6 SP1 Windows 2000 SP4,
Internet Explorer
6 Windows Server 2003 SP2,
Internet Explorer
6 Windows Server 2003 SP2 Itanium,
Internet Explorer
6 Windows Server 2003 X64 Edition SP2,
Internet Explorer
6 Windows XP Professional X64 Edition SP2,
Internet Explorer
6 Windows XP SP2,
Internet Explorer
6 Windows XP SP3,
Internet Explorer
7 Windows Server 2003 SP2,
Internet Explorer
7 Windows Server 2003 X64 Edition SP2,
Internet Explorer
7 Windows Server 2008 Itanium Edition,
Internet Explorer
7 Windows Server 2008 X64 Edition,
Internet Explorer
7 Windows Vista SP1,
Internet Explorer
7 Windows Vista X64 Edition SP1,
Internet Explorer
7 Windows XP Professional X64 Edition SP2,
Internet Explorer
7 Windows XP SP2,
Timeline
Vendor has provided a patch.
Recommendations
The vendor has released patches to address this issue
http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
Recommendations McAfee Product Mitigation
Additional Resources
(MS09-072) HTML Object Memory Corruption Vulnerability (976325)
http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx