Today, we released MS09-023, a bulletin for Windows Search 4.0. It is an information disclosure vulnerability rated as Moderate. We would like to go into more details in this blog to help you understand:
What is the attack vector?
The vulnerability in Windows Search allows script in HTML files to be executed without a prompt.
A typical attack scenario would be as follows:
Why is this vulnerability rated as Moderate?
As shown above, significant user interactions are required in order for exploitation to occur. Also, Windows Search is an optional component which is not installed on the default configuration. That’s why we rated this vulnerability as Moderate instead of Important.
What is the risk of MSHTML hosting apps?
Windows Search uses MSHTML, a.k.a. Trident, the Internet Explorer browser rendering engine, for rendering HTML content. While this is a great solution to display rich user interface in an application, it is necessary to understand that MSHTML hosting can raise the attack surface of the hosting application, as illustrated by this vulnerability in Windows Search, if the hosting isn’t done correctly. David Ross has done a wonderful SRD blog about this topic. Please refer to “The MSHTML Host Security FAQ: Part I of II” and “The MSHTML Host Security FAQ: Part II of II” for more details.
- Chengyun, MSRC Engineering
*Postings are provided "AS IS" with no warranties, and confers no rights.*