INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A remote code execution vulnerability exists in Internet Explorer because of the way that it processes data streams. An attacker could exploit the vulnerability by constructing a specially crafted Web page. |
| PLATFORM: | Windows 2000 (all editions) Windows XP (all editions) Windows Server 2003 (all editions) Windows Vista (all editions) Windows Server 2008 (all editions) Storage Management Appliance (SMA) v2.1 software running on Storage Management Appliance I, II, III |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
6.4 5.3 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C) |
| LINKS: | |
| CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/s-257.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx |
| ADDITIONAL LINK: | Visit Hewlett-Packars's Subscription Service for: HPSBST02329 SSRT080048 rev. 1 |
| CVE: | CVE-2008-1085 |
REVISION HISTORY:
04/17/2008 - revised S-257 to reflect changes Microsoft has made in MS08-024 where they
corrected the uninstall utility path for Internet Explorer 6 for Windows XP
and to add a link to link to Hewlett-Packard's Subscription Service for
HPSBST02329 SSRT080048 rev. 1 for Storage Management Appliance (SMA) v2.1
software running on Storage Management Appliance I, II, III.
04/24/2008 - revised S-257 to reflect changes Microsoft has made in MS08-024 where they
removed erroneous references to Windows XP Professional x64 Edition Service
Pack 3.
[***** Start Microsoft Security Bulletin (MS08-024) *****]
Version: 2.1
This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update is rated Critical for all supported releases of Internet Explorer. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The update removes the vulnerability by modifying the way that Internet Explorer processes data streams. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. Microsoft Knowledge Base Article 947864 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Operating System | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by This Update |
| Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1 | ||||
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
| Internet Explorer 6 | ||||
Windows XP Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
| Internet Explorer 7 | ||||
Windows XP Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
Windows Vista and Windows Vista Service Pack 1 |
Remote Code Execution |
Critical |
||
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 |
Remote Code Execution |
Critical |
||
Windows Server 2008 for 32-bit Systems |
Remote Code Execution |
Critical |
Not Applicable |
|
Windows Server 2008 for x64-based Systems |
Remote Code Execution |
Critical |
Not Applicable |
|
Windows Server 2008 for Itanium-based Systems |
Remote Code Execution |
Critical |
Not Applicable |
 |
Severity Ratings and Vulnerability Identifiers |
|
|
Data Stream Handling Memory Corruption Vulnerability - CVE-2008-1085 |
* Windows 2000 (all editions)
* Windows XP (all editions)
* Windows Server 2003 (all editions)
* Windows Vista (all editions)
* Windows Server 2008 (all editions)
Microsoft thanks the following for working with us to help protect customers:
| • | Carsten Eiram of Secunia for reporting the Data Stream Handling Memory Corruption Vulnerability (CVE-2008-1085). |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (April 08, 2008): Bulletin published. |
| • | V1.1 (April 16, 2008): Corrected the uninstall utility path for Internet Explorer 6 for Windows XP. |
| • | V2.0 (April 22, 2008): Added Internet Explorer 7 for Windows XP Service Pack 3 to affected software. |
| • | V2.1 (April 23, 2008): Bulletin updated: Removed erroneous references to Windows XP Professional x64 Edition Service Pack 3. |
[***** End Microsoft Security Bulletin (MS08-024) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/