Reported August 20, 2003, by Microsoft.
VERSIONS AFFECTED
-
Microsoft Internet Explorer (IE) 6.0 for Windows Server 2003
-
Microsoft IE 6.0, 5.5, and 5.01
DESCRIPTION
Two new vulnerabilities exist in Microsoft Internet Explorer (IE), the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These two new vulnerabilities are as follows:
-
A vulnerability in IE's cross-domain security model can result in the execution of script in the My Computer zone. The flaw exists because a file from the Internet or intranet containing a maliciously constructed URL can appear in the browser cache running in the My Computer zone.
-
A vulnerability occurs because IE doesn't properly determine an object type that a Web server returns. An attacker can exploit this vulnerability by running arbitrary code on a user's system.
VENDOR RESPONSE
Microsoft has released Security Bulletin MS03-032, "Cumulative Patch for Internet Explorer (822925)," to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin.
CREDIT
Discovered by Yu-Arai of LAC, eEye Digital Security and Greg Jones from KPMG UK.