Microsoft Internet Explorer Filter Cross Site Scripting Vulnerability
Date Discovered:
01/22/2010
Severity:
High
Operating Systems
Affected:
Microsoft Windows 2000
SP4
Microsoft Windows XP SP2
Microsoft Windows XP SP3
Microsoft Windows XP Professional x64 SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Vista
Microsoft Windows Vista SP1
Microsoft Windows Vista SP2
Microsoft Windows 7
Application Affected:
Microsoft Internet
Explorer 8
Type:
Remote
Identifiers:
CVE-2009-4074
Synopsis
Microsoft
Internet Explorer is prone to a cross-site scripting vulnerability
because of a design flaw in the browser's cross-cite scripting filter.
Microsoft
Internet Explorer, under certain circumstances, disables an HTML
attribute in otherwise appropriately filtered response data. As a
result, a specially crafted Web page could be loaded in such a way that
an attacker could execute script in the context of the logged-on user
in a different Internet domain.
An attacker could host a specially crafted Web site that is designed to
exploit this vulnerability through Internet Explorer and then convince
a user to view the Web site. The attacker could also take advantage of
compromised Web sites and Web sites that accept or host user-provided
content or advertisements. These Web sites could contain specially
crafted content that could exploit this vulnerability.
An attacker can exploit this issue to execute arbitrary script code in
the context of the user running the application and to steal
cookie-based authentication credentials and other sensitive data that
may aid in further attacks.
