CVE-2009-1528

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Explorer versions 6 and 7 for Windows XP SP2 and SP3 Microsoft Internet Explorer versions 6 and 7 for Server 2003 SP2 Microsoft Internet Explorer version 7 for Vista Gold, SP1, and SP2 Microsoft Internet Explorer version 7 for Server 2008 SP2

Description: The issue arises from the improper synchronization of AJAX requests, allowing remote attackers to execute arbitrary code via a large number of concurrent, asynchronous XMLHttpRequest calls. This is related to the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit this by constructing a specially crafted Web page, potentially leading to remote code execution. If successfully exploited, an attacker could gain the same user rights as the logged-on user, and if the user has administrative rights, the attacker could take complete control of the affected system.

Recommendations: For Microsoft Internet Explorer versions 6 and 7 for Windows XP SP2 and SP3, update to a newer version to mitigate the risk. For Microsoft Internet Explorer versions 6 and 7 for Server 2003 SP2, update to a newer version to mitigate the risk. For Microsoft Internet Explorer version 7 for Vista Gold, SP1, and SP2, update to a newer version to mitigate the risk. For Microsoft Internet Explorer version 7 for Server 2008 SP2, update to a newer version to mitigate the risk.