HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature looks for a specially-crafted URL that may lead to a buffer overflow in Microsoft Internet Explorer and remote code execution.
IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: This signature may fire on benign traffic.
High
IBM Security Server Protection for Windows: 2.1.14.2480, IBM Security Server Protection for Windows: 2.0.300.2480, Proventia Network IDS: XPU 30.020, Proventia Network MFS: XPU 30.020, Proventia-G 1.1 and earlier: XPU 30.020, RealSecure Server Sensor: XPU 30.020, RealSecure Network: XPU 30.020, Proventia Desktop: 2480, Proventia Network IPS: XPU 30.020, Virtual Server Protection for Vmware: XPU 30.020, Proventia Server IPS for Linux technology: 30.020
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Internet Explorer: 7.0, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Internet Explorer: 8.0, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Internet Explorer could allow a remote attacker to execute code on the system, caused by improper validation of user-supplied input sent to the ShellExecute API function. By persuading a victim to click on a specially-crafted URL, a remote attacker could exploit this vulnerability to execute a binary from the local client system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS10-002
Cumulative Security Update for Internet Explorer (978207)
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
Microsoft Security Bulletin MS10-007
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
http://www.microsoft.com/technet/security/bulletin/ms10-007.mspx
Packetstorm Security Web Site
Microsoft Internet Explorer versions 7 and 8 suffer from an url validation vulnerability
http://www.packetstormsecurity.com/1002-exploits/ie-urlvalidation.txt
ZDI-10-016
Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-016/
Microsoft Security Bulletin MS10-018
Cumulative Security Update for Internet Explorer (980182)
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
Microsoft Security Bulletin MS10-035
Cumulative Security Update for Internet Explorer (982381)
http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx
Microsoft Security Bulletin MS10-053
Cumulative Security Update for Internet Explorer (2183461)
http://www.microsoft.com/technet/security/bulletin/ms10-053.mspx
Microsoft Security Bulletin MS10-071
Cumulative Security Update for Internet Explorer (2360131)
http://www.microsoft.com/technet/security/bulletin/ms10-071.mspx
Microsoft Security Bulletin MS10-090
Cumulative Security Update for Internet Explorer (2416400)
http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx
Microsoft Security Bulletin MS11-003
Cumulative Security Update for Internet Explorer (2482017)
http://www.microsoft.com/technet/security/bulletin/ms11-003.mspx
Microsoft Security Bulletin MS11-018
Cumulative Security Update for Internet Explorer (2497640)
http://www.microsoft.com/technet/security/bulletin/ms11-018.mspx
Microsoft Security Bulletin MS11-050
Cumulative Security Update for Internet Explorer (2530548)
http://www.microsoft.com/technet/security/bulletin/ms11-050.mspx
Microsoft Security Bulletin MS11-057
Cumulative Security Update for Internet Explorer (2559049)
http://www.microsoft.com/technet/security/bulletin/ms11-057.mspx
Microsoft Security Bulletin MS11-081
Cumulative Security Update for Internet Explorer (2586448)
http://www.microsoft.com/technet/security/bulletin/ms11-081.mspx
Microsoft Security Bulletin MS11-099
Cumulative Security Update for Internet Explorer (2618444)
http://technet.microsoft.com/en-us/security/bulletin/MS11-099
ISS X-Force
Microsoft Internet Explorer URL code execution
http://www.iss.net/security_center/static/55773.php
CVE
CVE-2010-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0027