Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3475

Overview

Vulnerability Score 9.3 9.3
CVE Id CVE-2008-3475
Last Modified 26 Jan 2012 10:29:42
Published 14 Oct 2008 08:12:15
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-3475

Summary

Microsoft Internet Explorer 6 does not properly handle errors related to using the componentFromPoint method on xml objects that have been (1) incorrectly initialized or (2) deleted, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "Uninitialized Memory Corruption Vulnerability."

Vulnerable Systems

Application

  • Microsoft Internet Explorer 5.01

  • Microsoft Internet Explorer 6

  • Microsoft Internet Explorer 7


References

CERT - TA08-288A

BID - 31617

MS - MS08-058

XF - win-ms08kb956390-update(45565)

XF - ie-uninitialized-objects-code-execution(45563)

MISC - http://www.zerodayinitiative.com/advisories/ZDI-08-069/

VUPEN - ADV-2008-2809

SECTRACK - 1021047

BUGTRAQ - 20081015 Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution

HP - SSRT080143

MISC - http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.html

HP - HPSBST02379

Related Patches

MS08-058 Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB956390)

MS08-058 Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 x64 Edition (KB956390)


Last Updated: 27 May 2016 10:49:56