Security Bypass in Microsoft Internet Explorer 8 and Other Versions
CVE-2009-2064

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Explorer; Pocket Ie
Vendor: CVE Published:; 15 June 2009

Summary

A vulnerability exists in Microsoft Internet Explorer 8, where the browser only detects HTTP content in HTTPS web pages when the top-level frame is secured via HTTPS. This flaw can be exploited by man-in-the-middle attackers who can manipulate an HTTP page to add an HTTPS iframe that references an external script file hosted on an HTTP site. This can lead to the execution of arbitrary web scripts in the context of HTTPS sites, compromising user data and security.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/51186

vdb-entryx_refsource_XF

http://www.securityfocus.com/bid/35403

vdb-entryx_refsource_BID

http://research.microsoft.com/pubs/79323/pbp-final-with-u...

x_refsource_MISC

EPSS Score

18% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 15, 2009
Vulnerability Reserved
Jun 15, 2009