2009-2503 | Microsoft Internet Explorer code injection (BID-36647 / XFDB-53528)
|CVSS Meta Temp Score||Current Exploit Price (≈)||CTI Interest Score|
A vulnerability classified as very critical has been found in Microsoft Internet Explorer 6 (Web Browser). Affected is an unknown functionality. The manipulation with an unknown input leads to a privilege escalation vulnerability. CWE is classifying the issue as CWE-94. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka “GDI+ TIFF Memory Corruption Vulnerability.”
The weakness was released 10/14/2009 (Website). The advisory is shared for download at us-cert.gov. This vulnerability is traded as CVE-2009-2503 since 07/17/2009. It is possible to launch the attack remotely. The exploitation doesn’t require any form of authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 08/23/2021). It is expected to see the exploit prices for this product decreasing in the near future.
The vulnerability scanner Nessus provides a plugin with the ID 72908 (MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90551 (Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS09-062)).
Upgrading eliminates this vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 8661.
The vulnerability is also documented in the databases at X-Force (53528), Vulnerability Center (SBV-23752) and Tenable (72908). Entries connected to this vulnerability are available at 4051, 50451, 50449 and 50448.
VulDB Meta Base Score: 9.6
VulDB Meta Temp Score: 9.2
NVD Base Score: 🔍
Class: Privilege escalation
Status: Not defined
0-Day Time: 🔍
Status: Not defined
Vulnerability Center: 23752 – [MS09-062] Microsoft GDI+ Memory Corruption Remote Code Execution via a TIFF Image File, Critical
See also: 🔍
Enable the mail alert feature now!