Reported June 04, 2003, by Microsoft.
Microsoft Internet Explorer (IE) 6.0 for Windows Server 2003
Microsoft IE 6.0, 5.5, 5.01
Two new vulnerabilities in Microsoft IE can result in the execution of arbitrary code on the vulnerable system. These two new vulnerabilities are as follows:
A buffer overrun vulnerability results from IE improperly determining an object type that a Web server returns.
IE doesn't implement an appropriate block on a file-download dialog box.
In each case, if a user visits a hostile Web site, an attacker can exploit the vulnerability to run arbitrary code on the user's system without requiring any other user action. The attacker can also craft an HTML email message to exploit these vulnerabilities.
Microsoft has released Security
Bulletin MS03-020, "Cumulative Patch for
Internet Explorer (818529)," to address these vulnerabilities and
recommends that affected users immediately apply the appropriate patch
mentioned in the bulletin.
Discovered by eEye Digital Security.