CVE-2010-0027

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer versions 5.01 through 8 Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 and SP3 Microsoft Windows Server 2003 SP2

Description A remote code execution issue exists due to improper input validation in the URL validation functionality of Microsoft Internet Explorer and the ShellExecute API function in Windows. This allows remote attackers to execute arbitrary local programs via a crafted URL. An attacker who successfully exploits this issue could gain the same user rights as the logged-on user, potentially taking complete control of an affected system if the user has administrative rights.

Recommendations For Microsoft Internet Explorer versions 5.01 through 8, update to a version that properly validates input parameters to prevent remote code execution. For Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, ensure the ShellExecute API function is properly sanitized to prevent code execution vulnerabilities. As a temporary workaround, consider restricting access to the ShellExecute API function until a patch is available. Avoid using crafted URLs that could exploit the URL validation functionality in Internet Explorer until the issue is resolved.