Reported June 04, 2003, by Microsoft.


VERSIONS AFFECTED
 

  • Microsoft Internet Explorer (IE) 6.0 for Windows Server 2003

  • Microsoft IE 6.0, 5.5, 5.01

DESCRIPTION

Two new vulnerabilities in Microsoft IE can result in the execution of arbitrary code on the vulnerable system. These two new vulnerabilities are as follows:

  • A buffer overrun vulnerability results from IE improperly determining an object type that a Web server returns.

  • IE doesn't implement an appropriate block on a file-download dialog box.

In each case, if a user visits a hostile Web site, an attacker can exploit the vulnerability to run arbitrary code on the user's system without requiring any other user action. The attacker can also craft an HTML email message to exploit these vulnerabilities.

VENDOR RESPONSE

Microsoft has released Security Bulletin MS03-020, "Cumulative Patch for Internet Explorer (818529)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

CREDIT

Discovered by eEye Digital Security.