Published:2010/12/15  Last Updated:2012/06/07

JVN#21120853
Internet Explorer vulnerable to cross-site scripting

Overview

Microsoft Internet Explorer contains a vulnerability in handling specific character encoding which may result in a cross-site scripting attack.

Products Affected

  • Internet Explorer 6 for Windows XP SP3
  • Internet Explorer 6 for Windows XP x64 Edition SP2
  • Internet Explorer 7 for Windows XP SP3
  • Internet Explorer 7 for Windows XP x64 Edition SP2
  • Internet Explorer 7 for Windows Vista SP1 and SP2
  • Internet Explorer 7 forWindows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
  • Internet Explorer 8 for Windows XP SP3
  • Internet Explorer 8 for Windows XP x64 Edition SP2
  • Internet Explorer 8 for Windows Vista SP1 and SP2
  • Internet Explorer 8 for Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
  • Internet Explorer 8 for Windows 7 and Windows 7 x64
For more information, refer to the information provided by Microsoft.

Description

Microsoft Internet Explorer contains a vulnerability in handling specific EUC-JP or Shift_JIS encoded characters, which may result in cross-site scripting.

Impact

An arbitrary script may be executed.

Solution

Update the Software
Apply the latest update according to the information provided by Microsoft.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2010.12.15

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures

Credit

NetAgent Co.,Ltd. and hoshikuzu|star_dust reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-3342
JVN iPedia JVNDB-2010-000064

Update History

2012/06/07
Information under the section "Credit" was updated.