HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects the transfer of JavaScript code that could cause a vulnerable version of Microsoft Internet Explorer to take control over a victim's computer.
High
Proventia Network IPS: XPU 29.090, Proventia Desktop: 2430, RealSecure Network: XPU 29.090, RealSecure Server Sensor: XPU 29.090, Proventia-G 1.1 and earlier: XPU 29.090, Proventia Network IDS: XPU 29.090, Proventia Network MFS: XPU 29.090, IBM Security Server Protection for Windows: 2.1.14.2430, IBM Security Server Protection for Windows: 1.0.914.2430, IBM Security Server Protection for Windows: 2.0.300.2430, Proventia Server IPS for Linux technology: 29.090, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows XP: x64 Professional, Microsoft JScript: 5.1, Microsoft JScript: 5.6, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft JScript: 5.7, Microsoft JScript: 5.8, Microsoft Windows Server 2008, Microsoft Windows Server 2008: SP2, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
The Microsoft Windows JScript scripting engine could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding the decoding of scripts within a Web page. By persuading a victim to visit a specially-crafted Web site that is running the malicious script, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS09-045
Vulnerability in JScript Scripting Engines Could Allow Remote Code Execution (971961)
http://www.microsoft.com/technet/security/bulletin/ms09-045.mspx
http://www.iss.net/threats/346.html
Microsoft Windows JScript Remote Code Execution
IBM Internet Security Systems Protection Alert
ZDI-09-062
Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-062/
Microsoft Security Bulletin MS11-031
Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
http://www.microsoft.com/technet/security/bulletin/ms11-031.mspx
ISS X-Force
Microsoft Windows Jscript code execution
http://www.iss.net/security_center/static/52770.php
CVE
CVE-2009-1920
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1920