Update Available for Microsoft Internet Explorer Vulnerability
Systems Affected
Microsoft Windows systems running
- Internet Explorer versions 6 and later (see MS04-040 for
affected software and
components) - Other programs that host the WebBrowser
ActiveX control
Overview
Microsoft Security Bulletin MS04-040
contains an update to fix a buffer overflow vulnerability in Internet
Explorer.
Description
TA04-315A
describes a buffer overflow vulnerability in Microsoft Internet
Explorer HTML elements that could allow a remote attacker to execute arbitrary code.
Note that any program that hosts the
WebBrowser
ActiveX control could be affected.
Microsoft
Security Bulletin MS04-040
contains an update to fix this vulnerability.
The vulnerability is described in further detail in VU#842160.
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web
page or an HTML email message), an attacker could execute arbitrary code
with the privileges of the user. The attacker could also cause IE to crash.
Reports indicate that this vulnerability is being exploited by malicious
code referred to as MyDoom.{AG,AH,AI} or Bofra.
Solution
Install an update
Install the appropriate update according to
Microsoft
Security Bulletin MS04-040.
For additional information about the update, including possible adverse effects, please see Microsoft Knowledge Base articles 889293 and 889669.
Internet Explorer 6 on Windows XP SP2 is not vulnerable. Please see MS04-040 for information about affected software and components.
Appendix A. References
- Microsoft Security Bulletin MS04-040 - http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
- MS04-040: Cumulative Security Update for Internet Explorer (IE 6.0
SP1) - http://support.microsoft.com/kb/889293 - An update rollup is available for Internet Explorer 6 SP1 - http://support.microsoft.com/kb/889669
- US-CERT Technical Cyber Security Alert TA04-315A - http://www.us-cert.gov/cas/techalerts/TA04-315A.html
- Vulnerability Note VU#842160 - http://www.kb.cert.org/vuls/id/842160
- About the Browser (Internet Explorer - WebBrowser) - http://msdn.microsoft.com/workshop/browser/overview/Overview.asp
Feedback can be directed to the authors: Will
Dormann and Art Manion.
Revision History
-
December 1, 2004: Initial release
December 3, 2004: Added information about IE 6 on Windows XP SP2Last updated
This product is provided subject to this Notification and this Privacy & Use policy.