A vulnerability has been identified in Microsoft Windows, which could allow attackers to gain knowledge of sensitive information. This issue is caused due to Windows Search not properly restricting the environment within which scripts execute, which could allow the disclosure sensitive information, the forwarding of user data to a third party, or access to data on the affected system by tricking a user into opening or previewing a file placed on the system or in an e-mail message in an indexed mail box.

Affected Products

Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2

Microsoft Windows Search 4.0

Solution

Apply patches :
http://www.microsoft.com/technet/security/bulletin/ms09-023.mspx

References

http://www.vupen.com/english/advisories/2009/1542
http://www.microsoft.com/technet/security/bulletin/ms09-023.mspx

Credits

Vulnerabilities reported by Yair Amit (IBM Rational Application Security).

Changelog

2009-06-09 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.