Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2064

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2009-2064
Last Modified 24 Jun 2009 01:34:44
Published 15 Jun 2009 03:30:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2064

Summary

Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."

Vulnerable Systems

Application

  • Microsoft Internet Explorer 5

  • Microsoft Internet Explorer 5.01

  • Microsoft Internet Explorer 6

  • Microsoft Internet Explorer 7

  • Microsoft Internet Explorer 7.0.5730

  • Microsoft Internet Explorer 8

  • Microsoft Internet Explorer 8.0b

  • Microsoft Pocket Internet Explorer 1.0

  • Microsoft Pocket Internet Explorer 1.1

  • Microsoft Pocket Internet Explorer 2.0

  • Microsoft Pocket Internet Explorer 2002

  • Microsoft Pocket Internet Explorer 2003

  • Microsoft Pocket Internet Explorer 3.0

  • Microsoft Pocket Internet Explorer 4.0


References

XF - ie-https-security-bypass(51186)

BID - 35403

MISC - http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf

MISC - http://research.microsoft.com/apps/pubs/default.aspx?id=79323


Last Updated: 27 May 2016 10:50:46