Reported August 20, 2003, by Microsoft.
Microsoft Internet Explorer (IE) 6.0 for Windows Server 2003
Microsoft IE 6.0, 5.5, and 5.01
Two new vulnerabilities exist in Microsoft Internet Explorer (IE), the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These two new vulnerabilities are as follows:
A vulnerability in IE's cross-domain security model can result in the execution of script in the My Computer zone. The flaw exists because a file from the Internet or intranet containing a maliciously constructed URL can appear in the browser cache running in the My Computer zone.
A vulnerability occurs because IE doesn't properly determine an object type that a Web server returns. An attacker can exploit this vulnerability by running arbitrary code on a user's system.
Microsoft has released Security Bulletin MS03-032, "Cumulative Patch for Internet Explorer (822925)," to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin.