Microsoft Internet Explorer contains a flaw in DHTML method handling which may allow a remote attacker to execute arbitrary code.
The DHTML method handling in Internet Explorer fails to perform proper bounds checking. This vulnerability may allow data to be written outside the boundary of a buffer, creating a heap overflow condition that may allow remote attackers to execute arbitrary code. To exploit this vulnerability, the attacker would craft a malicious web page and convince the user to visit it, either by clicking on a link in a web page or in an email message.
A remote attacker may be able to execute arbitrary code with the privileges of the user running Internet Explorer.
Apply an update
Microsoft Windows users should use Windows Update to automatically obtain the correct fixes, or apply the relevant patches outlined in Microsoft Security Bulletin MS05-014, described in Microsoft Knowledge Base Article 867282.
Disabling Active scripting in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone, and 315933 for information about displaying the Local Machine Zone (My Computer security zone) on the Security tab in the Internet Options dialog box.
Note that disabling Active scripting in the Internet Zone will reduce the functionality of some web sites. Disabling this feature in the Local Machine Zone will reduce the functionality of some programs, including the Help and Support Center in Windows XP.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: February 08, 2005 Updated: February 08, 2005
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation has published information on this vulnerability in Microsoft Security Bulletin MS05-014, with details in Microsoft Knowlege Base Article 867282.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Thanks to the Microsoft Corporation for reporting this vulnerability, who in turn credit Andreas Sandblad of Secunia for reporting the information
This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.
CVE IDs: | CVE-2005-0055
Severity Metric:** | 31.88
Date Public: | 2005-02-08
Date First Published: | 2005-02-08
Date Last Updated: | 2005-08-22 13:13 UTC
Document Revision: | 13