CVE-2009-1917

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Explorer 6 SP1 Internet Explorer 6 for Windows XP SP2 and SP3 and Server 2003 SP2 Internet Explorer 7 and 8 for Windows XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2

Description: The issue arises from the improper handling of attempts to access deleted objects in memory, allowing remote attackers to execute arbitrary code via a crafted HTML document that triggers memory corruption. This can be exploited by constructing a specially crafted Web page, which when viewed by a user, could allow remote code execution. An attacker who successfully exploits this issue could gain the same user rights as the logged-on user, potentially taking complete control of an affected system if the user has administrative rights. This could enable the attacker to install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations: For Microsoft Internet Explorer 6 SP1, update to a version that properly handles memory objects to prevent exploitation. For Internet Explorer 6 for Windows XP SP2 and SP3 and Server 2003 SP2, apply the necessary patch to fix the memory corruption issue. For Internet Explorer 7 and 8 for Windows XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2, consider disabling the rendering of crafted HTML documents until a patch is available. As a temporary workaround, restrict access to Web pages that could potentially exploit this issue until the vulnerability is patched.