CVE-2009-1918

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Explorer versions 5.01 SP4 through 8

Description: A remote code execution issue exists due to improper handling of table operations, allowing attackers to execute arbitrary code via a crafted HTML document that triggers memory corruption by adding malformed elements to an empty DIV element, related to the getElementsByTagName method. This could be exploited by constructing a specially crafted Web page. When a user views the Web page, the issue could allow remote code execution, potentially giving an attacker the same user rights as the logged-on user. If the user has administrative rights, the attacker could take complete control of the affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations: For Microsoft Internet Explorer versions 5.01 SP4 through 8, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to Web pages that could potentially exploit this issue until a patch is available. Avoid using the getElementsByTagName method in affected HTML documents until the issue is resolved.