INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Multiple remote code execution vulnerabilities exists in Internet Explorer due to attempts to access uninitialized memory incertain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. |
| PLATFORM: | Windows 2000 (all editions) Windows XP (all editions) Windows Server 2003 (all editions) Windows Vista (all editions) Windows Server 2008 (all editions) |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-in user. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
7.5 6.2 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) |
REVISION HISTORY:
09/10/2008 - revised S-351 to reflect changes Microsoft has made in MS08-045 where
they corrected a registry key verification entry for Windows XP and added
a mitigating factor for CVE-2008-2256.
[***** Start Microsoft Security Bulletin (MS08-045) *****]
Version: 1.1
This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported releases of Internet Explorer. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles the error resulting in the exploitable condition. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Operating System | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by This Update |
| Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1 | ||||
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
| Internet Explorer 6 | ||||
Windows XP Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
| Internet Explorer 7 | ||||
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
Windows Vista and Windows Vista Service Pack 1 |
Remote Code Execution |
Critical |
||
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 |
Remote Code Execution |
Critical |
||
Windows Server 2008 for 32-bit Systems* |
Remote Code Execution |
Critical |
||
Windows Server 2008 for x64-based Systems* |
Remote Code Execution |
Critical |
||
Windows Server 2008 for Itanium-based Systems |
Remote Code Execution |
Critical |
*Windows Server 2008 server core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.
HTML Objects Memory Corruption Vulnerability – CVE-2008-2254 |
HTML Objects Memory Corruption Vulnerability – CVE-2008-2255 |
Uninitialized Memory Corruption Vulnerability – CVE-2008-2256 |
HTML Objects Memory Corruption Vulnerability – CVE-2008-2257 and CVE-2008-2258 |
HTML Component Handling Vulnerability – CVE-2008-2259 |
Security Update Deployment |
Microsoft thanks the following for working with us to help protect customers:
| • | Yamata Li of Palo Alto Networks for reporting HTML Object Memory Corruption Vulnerability CVE-2008-2254. |
| • | Tavis Ormandy of the Google Security Team for reporting the Uninitialized Memory Corruption Vulnerability CVE-2008-2256. |
| • | Sam Thomas, working with TippingPoint and the Zero Day Initiative, for reporting the HTML Objects Memory Corruption Vulnerability CVE-2008-2257. |
| • | TippingPoint and the Zero Day Initiative for reporting the HTML Objects Memory Corruption Vulnerability CVE-2008-2258. |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (August 12th, 2008): Bulletin published. |
| • | V1.1 (August 20, 2008): Corrected a registry key verification entry for Windows XP and added a mitigating factor for CVE-2008-2256. |
[***** End Microsoft Security Bulletin (MS08-045) *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org