Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7268
HistoryDec 02, 2004 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA04-336A -- Update for Microsoft Internet Explorer HTML Elements Vulnerability

2004-12-0200:00:00
vulners.com
56
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

         Technical Cyber Security Alert TA04-336A

Update for Microsoft Internet Explorer HTML Elements Vulnerability

Original release date: December 1, 2004
Last revised: –
Source: US-CERT

Systems Affected

Microsoft Windows systems running

 * Internet Explorer versions 6 and later (see MS04-040 for affected
   software and components)

 * Other programs that host the WebBrowser ActiveX control

Overview

Microsoft Security Bulletin MS04-040 contains an update to fix a
buffer overflow vulnerability in Internet Explorer.

I. Description

TA04-315A describes a buffer overflow vulnerability in Microsoft
Internet Explorer HTML elements that could allow a remote attacker to
execute arbitrary code. Note that any program that hosts the
WebBrowser ActiveX control could be affected. Microsoft Security
Bulletin MS04-040 contains an update to fix this vulnerability.

The vulnerability is described in further detail in VU#842160.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g.,
a web page or an HTML email message), an attacker could execute
arbitrary code with the privileges of the user. The attacker could
also cause IE to crash.

Reports indicate that this vulnerability is being exploited by
malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.

III. Solution

Install an update

Install the appropriate update according to Microsoft Security
Bulletin MS04-040. For additional information about the update,
including possible adverse effects, please see Microsoft Knowledge
Base articles 889293 and 889669.

Appendix A. References

 * Microsoft Security Bulletin MS04-040 -
   <http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx>

 * MS04-040: Cumulative Security Update for Internet Explorer (IE 6.0
   SP1) - <http://support.microsoft.com/kb/889293>

 * An update rollup is available for Internet Explorer 6 SP1 -
   <http://support.microsoft.com/kb/889669>

 * US-CERT Technical Cyber Security Alert TA04-315A -
   <http://www.us-cert.gov/cas/techalerts/TA04-315A.html>

 * Vulnerability Note VU#842160 -
   <http://www.kb.cert.org/vuls/id/842160>

 * About the Browser (Internet Explorer - WebBrowser) -
   <http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>

 _________________________________________________________________

Feedback can be directed to the authors: Will Dormann and Art Manion.

Send mail to <[email protected]>.

Please include the Subject line "TA04-336A Feedback VU#842160".

 _________________________________________________________________

Copyright 2004 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html&gt;

 _________________________________________________________________

The most recent version of this document can be found at:

 &lt;http://www.us-cert.gov/cas/techalerts/TA04-336A.html&gt;

 _________________________________________________________________

Revision History

December 1, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQa5IqhhoSezw4YfQAQK9ZAf7BHn69m5KRp64ePmJii0a1UCmZLimEdoF
16f11YLjUZljUvCjDD21pPv0jiPYY5cmFcHXZdlpovu/x6FnxuNvmV0GUYGENy27
qSzBt6aHc2oAHsouxb77x9ZIlg/k6+yjX82HqcR9+ITIXDx5SfTEz4jJsCJ86I7y
UTZqpMSQIniE8QDJ2VsoVnLylvC1RqgUCEXf+/526XDu/udIpQ+pahuewNUy+bgH
cj28U7WnjEAI9X/dgmCKu9znTtSfFL0Lm1YxDvF/tH1+q/9z9KmdldT16HbGPjJO
K0xbbFkpgKy9apXTF3MOzlb/ehXMXLgOwV37IXCD49TAhQy2FBe5CQ==
=w9cf
-----END PGP SIGNATURE-----

JSON