cnvd - cnvd-2019-24757

cnvd-2019-24757

Vulnerability from cnvd

Title

Microsoft Internet Explorer Scripting Engine远程内存破坏漏洞（CNVD-2019-24757）

Description

Internet Explorer，是微软公司推出的一款网页浏览器。原称Microsoft Internet Explorer和Windows Internet Explorer，简称IE。 Microsoft Internet Explorer Scripting Engine存在远程内存破坏漏洞，攻击者可以利用该漏洞在系统上执行任意代码，导致内存损坏系统拒绝服务。

Severity

高

Patch Name

Microsoft Internet Explorer Scripting Engine远程内存破坏漏洞（CNVD-2019-24757）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://portal.msrc.microsoft.com/en-us/security-guidance

Reference

https://www.securityfocus.com/bid/108669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1005 http://www.microsoft.com http://www.microsoft.com/ie/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1005

Impacted products

Name
Microsoft Internet Explorer

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108669"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1005"
    }
  },
  "description": "Internet Explorer\uff0c\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\u539f\u79f0Microsoft Internet Explorer\u548cWindows Internet Explorer\uff0c\u7b80\u79f0IE\u3002\n\nMicrosoft Internet Explorer Scripting Engine\u5b58\u5728\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5bfc\u81f4\u5185\u5b58\u635f\u574f\u7cfb\u7edf\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Yuki Chen",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-24757",
  "openTime": "2019-07-29",
  "patchDescription": "Internet Explorer\uff0c\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\u539f\u79f0Microsoft Internet Explorer\u548cWindows Internet Explorer\uff0c\u7b80\u79f0IE\u3002\r\n\r\nMicrosoft Internet Explorer Scripting Engine\u5b58\u5728\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5bfc\u81f4\u5185\u5b58\u635f\u574f\u7cfb\u7edf\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Internet Explorer Scripting Engine\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2019-24757\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft Internet Explorer"
  },
  "referenceLink": "https://www.securityfocus.com/bid/108669 \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1005 \r\nhttp://www.microsoft.com \r\nhttp://www.microsoft.com/ie/ \r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1005",
  "serverity": "\u9ad8",
  "submitTime": "2019-06-13",
  "title": "Microsoft Internet Explorer Scripting Engine\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2019-24757\uff09"
}

CVE-2019-1005 (GCVE-0-2019-1005)

Vulnerability from cvelistv5

Published

2019-06-12 13:49

Modified

2025-05-20 17:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O

CWE

Remote Code Execution

Summary

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

References

URL

Tags

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1005

vendor-advisory

Impacted products

Vendor

Product

Version

Microsoft

Internet Explorer 10

Version: 1.0.0 < publication

	Microsoft	Internet Explorer 9	Version: 1.0.0 < publication
	Microsoft	Internet Explorer 11	Version: 1.0.0 < publication

Show details on NVD website