===================================================================== CERT-Renater Note d'Information No. 2008/VULN032 _____________________________________________________________________ DATE : 13/02/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Internet Explorer. ====================================================================== MS08-010 - Critical - Cumulative Security Update for Internet Explorer (944533) Published: February 12, 2008 Version: 1.0 This critical security update resolves three privately reported and one publicly reported vulnerabilities. The most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Affected Software o Microsoft Windows 2000 Service Pack 4 - Microsoft Internet Explorer 5.01 Service Pack 4 o Microsoft Windows 2000 Service Pack 4 - Microsoft Internet Explorer 6 Service Pack 1 o Windows XP Service Pack 2 - Microsoft Internet Explorer 6 o Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Microsoft Internet Explorer 6 o Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Microsoft Internet Explorer 6 o Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Microsoft Internet Explorer 6 o Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Microsoft Internet Explorer 6 o Windows XP Service Pack 2 - Windows Internet Explorer 7 o Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Windows Internet Explorer 7 o Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Windows Internet Explorer 7 o Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Windows Internet Explorer 7 o Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Windows Internet Explorer 7 o Windows Vista - Windows Internet Explorer 7 o Windows Vista x64 Edition - Windows Internet Explorer 7 Vulnerability Information HTML Rendering Memory Corruption Vulnerability - CVE-2008-0076 A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Workarounds for HTML Rendering Memory Corruption Vulnerability - CVE-2008-0076 o Microsoft has not identified any workarounds for this vulnerability. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================