Vulnerability in Microsoft Internet Explorer
Systems Affected
- Internet Explorer versions 6.0 and later
Overview
By taking advantage of a vulnerability in Internet Explorer, an attacker may be able to take control of your computer.
Solution
Apply an update
Microsoft has released an update
to resolve this problem. Obtain the appropriate update from Windows Update or by using Automatic
Updates.Upgrade to Windows XP SP2
Windows XP Service Pack 2 is not affected. If you are running Windows XP, you can
install Service Pack 2 using Windows Update or Automatic
Updates.Follow good security practices
The following practices may offer additional protection against
this vulnerability:
- Disable Active scripting - Attackers
may be able to take advantage of Active scripting to
exploit this vulnerability. Instructions for disabling Active scripting are available in the Malicious
Web Scripts FAQ.
- Don't follow unsolicited links - By convincing you to
follow a link, an attacker may be able to send you to a malicious
site. Don't click on unsolicited URLs received in email, instant
messages, web forums, or Internet relay chat (IRC) channels.
- Read and send email in plain text format - Many email
clients use the same programs as web browsers to display HTML, so
vulnerabilities that affect active content like JavaScript and ActiveX
often apply to email.
- Maintain updated anti-virus software - It is important
that you use anti-virus software and keep it up to date. Most
anti-virus software vendors frequently release updated information,
tools, or virus databases to help detect and recover from virus
infections. Many anti-virus packages support automatic updates of
virus definitions. US-CERT recommends using these automatic updates
when possible.
Description
There is a vulnerability in the way Internet Explorer processes
certain HTML code. By exploiting the vulnerability, an attacker may be
able to take control of your computer or cause a denial of service.For more technical information, see TA04-315A.
References
- Windows Security Update for December 2004 - <http://www.microsoft.com/security/bulletins/200412_windows.mspx>
- Browsing Safely: Understanding Active Content and Cookies - <http://www.us-cert.gov/cas/tips/ST04-012.html>
- Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
- Understanding Denial-of-Service Attacks - <http://www.us-cert.gov/cas/tips/ST04-015.html>
- Security Improvements in Windows XP Service Pack 2 - <http://www.us-cert.gov/cas/alerts/SA04-243A.html>
- US-CERT Technical Cyber Security Alert TA04-315A - <http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
- US-CERT Technical Cyber Security Alert TA04-336A - <http://www.us-cert.gov/cas/techalerts/TA04-336A.html>
- Vulnerability Note VU#842160 - <http://www.kb.cert.org/vuls/id/842160>
Feedback
can be directed to US-CERT -->.
Copyright 2004 Carnegie Mellon University.
Terms of use
Revision History
-
November 10, 2004: Initial release
December 3, 2004: Added information about MS04-040 update, SA04-336A, and TA04-336A, updated Systems Affected
Last updated
This product is provided subject to this Notification and this Privacy & Use policy.