Content
(MS09-019) Microsoft Internet Explorer Race Condition Cross-Domain Information Disclosure Vulnerability (969897)
- Type
- Race condition
- Impact of exploitation
- Information disclosure
- User Interaction
- user interaction is needed
- Attack Vector
- Information disclosure
- Rating
- Low
- CVE reference
- CVE-2007-3091,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Internet Explorer 5.01 SP4 Windows 2000 SP4,
- Internet Explorer 6 SP1 Windows 2000 SP4,
- Internet Explorer 6 SP1,
- Internet Explorer 6 Microsoft Windows Server 2003 SP1,
- Internet Explorer 6 Windows Server 2003 SP1,
- Internet Explorer 6 Windows Server 2003 SP1 Itanium,
- Internet Explorer 6 Windows Server 2003 SP2,
- Internet Explorer 6 Windows XP Professional X64 Edition SP2,
- Internet Explorer 6 Windows XP SP2,
- Internet Explorer 7,
- Internet Explorer 7 Windows Server 2003 SP2 Itanium,
- Internet Explorer 7 Windows 2000 SP4,
- Internet Explorer 7 Windows Vista SP1,
- Internet Explorer 7 Windows Vista X64 Edition SP1,
- Internet Explorer 7 Windows Server 2008 X64 Edition,
- Internet Explorer 7 Windows Server 2008 X32 Edition,
- Internet Explorer 7 Windows Server 2008 Itanium Edition,
- Internet Explorer 7 Windows XP SP2,
- Internet Explorer 7 Windows XP Professional X64 Edition SP2,
- Summary
- A vulnerability in Microsoft Internet Explorer may allow for the disclosure of sensitive information.
Tab Navigation
Description
A vulnerability in Microsoft Internet Explorer may allow for the disclosure of sensitive information. This particular flaw allows scripts, run within Internet Explorer, to gain access to content from a separate browser window/session to another domain or Internet zone. Exploitation can be achieved via a specially-crafted web page which is designed to target this issue. Social engineer tactics need to be employed in order to entice users to visit a malicious web page.
McAfee Product Mitigation & Recommendations
Recommendations
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
McAfee Product Mitigation
McAfee Foundstone
- Signature:
- (MS09-019) Microsoft Internet Explorer Race Condition Cross-Domain Information Disclosure Vulnerability (969897)
- Signature identifier:
- 6750
- Release date:
- 6/9/2009
McAfee Intrushield
- Signature:
- HTTP: Microsoft IE Race Condition Cross-Domain Information Disclosure Vulnerability
- Signature identifier:
- 0x40261000
- Release date:
- 6/9/2009
- First released in:
- 4.1.51, 5.1.21
Additional Resources
Cumulative Security Update for Internet Explorer (969897)
http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
All Information
Timeline -
6/9/2009
Vendor has provided a patch.
6/3/2007
A proof of concept has been released.
Description -
A vulnerability in Microsoft Internet Explorer may allow for the disclosure of sensitive information. This particular flaw allows scripts, run within Internet Explorer, to gain access to content from a separate browser window/session to another domain or Internet zone. Exploitation can be achieved via a specially-crafted web page which is designed to target this issue. Social engineer tactics need to be employed in order to entice users to visit a malicious web page.
McAfee Product Mitigation & Recommendations
Recommendations -
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
McAfee Product Mitigation
McAfee Foundstone
- Signature:
- (MS09-019) Microsoft Internet Explorer Race Condition Cross-Domain Information Disclosure Vulnerability (969897)
- Signature identifier:
- 6750
- Release date:
- 6/9/2009
McAfee Intrushield
- Signature:
- HTTP: Microsoft IE Race Condition Cross-Domain Information Disclosure Vulnerability
- Signature identifier:
- 0x40261000
- Release date:
- 6/9/2009
- First released in:
- 4.1.51, 5.1.21
Additional Resources
Additional Resources -
Cumulative Security Update for Internet Explorer (969897)
http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
