Published:2010/12/15  Last Updated:2010/12/15

JVN#62275332
Internet Explorer vulnerable to cross-site scripting

Overview

Microsoft Internet Explorer contains a cross-site scripting vulnerability due to the way file types are determined.

Products Affected

  • Internet Explorer 6 for Windows XP SP3
  • Internet Explorer 6 for Windows XP x64 Edition SP2
  • Internet Explorer 7 for Windows XP SP3
  • Internet Explorer 7 for Windows XP x64 Edition SP2
  • Internet Explorer 7 for Windows Vista SP1 and SP2
  • Internet Explorer 7 forWindows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
  • Internet Explorer 8 for Windows XP SP3
  • Internet Explorer 8 for Windows XP x64 Edition SP2
  • Internet Explorer 8 for Windows Vista SP1 and SP2
  • Internet Explorer 8 for Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
  • Internet Explorer 8 for Windows 7 and Windows 7 x64
For more information, refer to the information provided by Microsoft.

Description

Microsoft Internet Explorer contains a vulnerability in handling Content-Type, which may result in cross-site scripting.

Impact

An arbitrary script may be executed.

Solution

Update the Software
Apply the latest update according to the information provided by Microsoft.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2010.12.15

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures

Credit

Yoshinari Fukumoto of Rakuten, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-3342
JVN iPedia JVNDB-2010-000062