CENTER.HU groups
CENTER.HU address

User:

Guest

www.center.hu / Archive / Security news / august, 2004 / Microsoft Internet Explorer object data pop-up and... 

Microsoft Internet Explorer object data pop-up and...

Microsoft Internet Explorer object data pop-up and...

Date Discovered: October 3, 2003
Date Published: October 4, 2003
Last Updated: June 21, 2004

Vulnerability ID: 26199
Discovered by: anonymous
Exploitable Locally: No
Exploitable Remotely: Yes
Impact: Remote attackers can execute arbitrary code.
Root Cause: Software Vulnerability

Microsoft Internet Explorer contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code. The first vulnerability is due to how object data is processed in pop-up windows. The second vulnerability is due to how an object tag is handled in XML data binding. Internet Explorer does not correctly determine the object type in each instance. An attacker can exploit either vulnerability through a malicious web page or HTML email to execute arbitrary code. Keyword(s): Bagle

Recommendations

Apply the patch provided by the vendor.

Microsoft Internet Explorer 5.01:
http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

The patch can be installed on IE 5.01 running on Windows 2000 systems with Service Pack 3 or Service Pack 4 installed.

Microsoft Internet Explorer 5.5:
http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

The Internet Explorer 5.5 patch can be installed on systems running Internet Explorer 5.5 Service Pack 2.

Microsoft Internet Explorer 6.0:
http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

The Internet Explorer 6.0 patch can be installed on systems running IE 6.0 Gold or Internet Explorer 6.0 Service Pack 1.

Microsoft Internet Explorer 6.0 for Windows Server 2003:
http://www.microsoft.com/windows/ie/downloads/critical/828750s/default.asp

As a workaround solution for Internet Explorer 6.0 for Windows Server 2003, use Enhanced Security Configuration.

Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1 will include the fix for this issue.

This patch supersedes the one provided in Microsoft Security Bulletin MS03-032, which is itself a cumulative patch.

Workarounds:

1. Change the settings for the Internet security zone to prompt before running ActiveX components.
2. Restrict access to only trusted Web sites.
3. View e-mail messages in plaintext only.

Additionally, Windows Media Player users should install the update described at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828026

Vendor advisory:
MS03-040
828750

Affected Technologies

Microsoft: Internet Explorer 5.01
Microsoft: Internet Explorer 5.01 SP1
Microsoft: Internet Explorer 5.01 SP2
Microsoft: Internet Explorer 5.01 SP3
Microsoft: Internet Explorer 5.01 SP4
Microsoft: Internet Explorer 5.5
Microsoft: Internet Explorer 5.5 SP1
Microsoft: Internet Explorer 5.5 SP2
Microsoft: Internet Explorer 6
Microsoft: Internet Explorer 6 SP1
Microsoft: Internet Explorer 6.0 for Windows Server 2003

References

Microsoft: MS03-040
Mitre CVE: CAN-2003-0809
Mitre CVE: CAN-2003-0838

 

 

More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=26199

Computer Associates – the Trusted Source of Security Knowledge

 

 

 

 

Back



Copyright © CENTER.HU Ltd, 2000-2010. All rights reserved

sitemap | privacy policy |

copyrights | new pages |

terms of purchase | contact us


PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel