Reported June 04, 2003, by Microsoft.


  • Microsoft Internet Explorer (IE) 6.0 for Windows Server 2003

  • Microsoft IE 6.0, 5.5, 5.01


Two new vulnerabilities in Microsoft IE can result in the execution of arbitrary code on the vulnerable system. These two new vulnerabilities are as follows:

  • A buffer overrun vulnerability results from IE improperly determining an object type that a Web server returns.

  • IE doesn't implement an appropriate block on a file-download dialog box.

In each case, if a user visits a hostile Web site, an attacker can exploit the vulnerability to run arbitrary code on the user's system without requiring any other user action. The attacker can also craft an HTML email message to exploit these vulnerabilities.


Microsoft has released Security Bulletin MS03-020, "Cumulative Patch for Internet Explorer (818529)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.


Discovered by eEye Digital Security.