Oval Definition:oval:org.mitre.oval:def:7569
Revision Date:2014-08-18Version:50
Title:WinINet and Windows HTTP Services Credential Reflection Vulnerability
Description:Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family:windowsClass:vulnerability
Status:ACCEPTEDReference(s):CVE-2009-0550
Platform(s):Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s):Microsoft Internet Explorer
Definition Synopsis
  • IE5/Microsoft Windows 2000
  • Microsoft Windows 2000 is installed
  • AND Microsoft Internet Explorer 5.01 SP4 is installed
  • AND Mshtml.dll version is less than 5.0.3874.1900
  • OR IE6/Microsoft Windows 2000
  • Microsoft Windows 2000 is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.2800.1625
  • OR IE6/Microsoft Windows XP
  • Microsoft Windows XP is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.2900.3527
  • OR IE6/Microsoft Windows XP (32-bit)
  • Microsoft Windows XP (32-bit) is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.2900.5764
  • OR IE6/Microsoft Server 2003 (32-bit)
  • Microsoft Windows Server 2003 (32-bit) is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.3304
  • OR IE6/Microsoft Server 2003 (32-bit)
  • Microsoft Windows Server 2003 (32-bit) is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.4470
  • OR IE6/XP x64/Server 2003 x64
  • XP x64/Server 2003 x64
  • Microsoft Windows XP x64 is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.3304
  • OR IE6/XP x64/Server 2003 x64
  • XP x64/Server 2003 x64
  • Microsoft Windows XP x64 is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.4470
  • OR IE6/Server 2003 ia64
  • Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.3304
  • OR IE6/Server 2003 ia64
  • Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Microsoft Internet Explorer 6 is installed
  • AND Mshtml.dll version is less than 6.0.3790.4470
  • OR IE7/XP x86/x64
  • XP x86/x64
  • Microsoft Windows XP (32-bit) is installed
  • OR Microsoft Windows XP x64 is installed
  • AND Microsoft Internet Explorer 7 is installed
  • AND Mshtml.dll version is greater than 7.0.6000.16000
  • AND Mshtml.dll version is less than 7.0.6000.16825
  • OR IE7/XP x86/x64
  • XP x86/x64
  • Microsoft Windows XP (32-bit) is installed
  • OR Microsoft Windows XP x64 is installed
  • AND Microsoft Internet Explorer 7 is installed
  • AND Mshtml.dll version is greater than 7.0.6000.20000
  • AND Mshtml.dll version is less than 7.0.6000.21015
  • OR IE7/Server 2003 x86/x64/ia64
  • Server 2003 x86/x64/ia64
  • Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Microsoft Internet Explorer 7 is installed
  • AND Mshtml.dll version is greater than 7.0.6000.16000
  • AND Mshtml.dll version is less than 7.0.6000.16825
  • OR IE7/Server 2003 x86/x64/ia64
  • Server 2003 x86/x64/ia64
  • Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Microsoft Internet Explorer 7 is installed
  • AND Mshtml.dll version is greater than 7.0.6000.20000
  • AND Mshtml.dll version is less than 7.0.6000.21015
  • OR Mshtml.dll/Vista x86/x64
  • Vista x86/x64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • AND Mshtml.dll version is greater than 7.0.6000.16000
  • AND Mshtml.dll version is less than 7.0.6000.16830
  • OR Mshtml.dll/Vista x86/x64
  • Vista x86/x64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • AND Mshtml.dll version is greater than 7.0.6000.20000
  • AND Mshtml.dll version is less than 7.0.6000.21023
  • OR Mshtml.dll/Vista x86/x64, Server 2008 x86/x64/ia64
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND Mshtml.dll version is greater than 7.0.6001.16000
  • AND Mshtml.dll version is less than 7.0.6001.18226
  • OR Mshtml.dll/Vista x86/x64, Server 2008 x86/x64/ia64
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND Mshtml.dll version is greater than 7.0.6001.20000
  • AND Mshtml.dll version is less than 7.0.6001.22389
  • OR winhttp.dll version 5.1.2600.3490 or later on Windows 2000
  • Microsoft Windows 2000 is installed
  • AND system32\winhttp.dll version less than 5.1.2600.3490
  • OR winhttp.dll versin 5.1.2600.3494 or later on Windows XP x86
  • Microsoft Windows XP (32-bit) is installed
  • AND system32\winhttp.dll version less than 5.1.2600.3494
  • OR winhttp.dll versin 5.1.2600.5727 or later on Windows XP x86
  • Microsoft Windows XP (32-bit) is installed
  • AND system32\winhttp.dll version less than 5.1.2600.5727
  • OR winhttp.dll versin 5.2.3790.3262 or later on Windows XP x64
  • Microsoft Windows XP x64 is installed
  • AND system32\winhttp.dll version less than 5.2.3790.3262
  • OR winhttp.dll versin 5.2.3790.4427 or later on Windows XP x64
  • Microsoft Windows XP x64 is installed
  • AND system32\winhttp.dll version less than 5.2.3790.4427
  • OR winhttp.dll versin 5.2.3790.3262 or later on windows server 2003 (x86)(x64)(ia64)
  • Server 2003 x86/x64/ia64
  • Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Winsxs\winhttp.dll version less than 5.2.3790.3262
  • OR winhttp.dll versin 5.2.3790.4427 or later on windows server 2003 (x86)(x64)(ia64)
  • Server 2003 x86/x64/ia64
  • Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND Winsxs\winhttp.dll version less than 5.2.3790.4427
  • OR winhttp.dll versin 6.0.6000.16786 or later on windows vista GDR (x86)(x64)
  • Vista x86/x64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • AND system32\winhttp.dll version greater than or equal 6.0.6000.16000
  • AND system32\winhttp.dll version less than 6.0.6000.16786
  • OR winhttp.dll versin 6.0.6000.20971 or later on windows vista LDR (x86)(x64)
  • Vista x86/x64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • AND system32\winhttp.dll version greater than or equal 6.0.6000.20000
  • AND system32\winhttp.dll version less than 6.0.6000.20971
  • OR winhttp.dll versin 6.0.6001.18178 or later on windows server 2008 sp1 GDR (x86)(x64)(ia64) and windows vista sp1 GDR (x86)(x64)
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND system32\winhttp.dll version greater than or equal 6.0.6001.18000
  • AND system32\winhttp.dll version less than 6.0.6001.18178
  • OR winhttp.dll versin 6.0.6001.22323 or later on windows server 2008 sp1 LDR (x86)(x64)(ia64) and windows vista sp1 GDR (x86)(x64)
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND system32\winhttp.dll version greater than or equal 6.0.6001.22000
  • AND system32\winhttp.dll version less than 6.0.6001.22323
    • BACK