SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer CDF Scripting Error Lets Remote Users Execute Scripting Code in Arbitrary Domains
SecurityTracker Alert ID:  1013126
SecurityTracker URL:  http://securitytracker.com/id/1013126
CVE Reference:   CVE-2005-0056   (Links to External Site)
Date:  Feb 8 2005
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01 SP3 and SP4, 5.5 SP2, 6 SP1
Description:   A vulnerability was reported in Microsoft Internet Explorer in the procesing of URLs in Channel Definition Format (CDF) files. A remote user can cause scripting code to be executed in an arbitrary security zone.

The vendor reported that Internet Explorer does not properly process URLs in CDF files. A remote user can create specially crafted HTML that, when loaded by the target user, will execute scripting code in an arbitrary zone, including the Local Computer zone.

Significant user interaction is required to exploit this flaw.

The vendor indicates that this vulnerability has been previously reported [Editor's note: The vendor did not reference any particular report].

Impact:   A remote user can cause scripting code to be executed on the target user's system in an arbitrary security domain.
Solution:   The vendor has issued the following fixes:

Internet Explorer 5.01 Service Pack 3 (SP3) on Windows 2000 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=34F5BCDE-4EE2-4EFD-BB60-F5A6BC5F56D1

Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4C2CBB4B-2F00-4CD6-BB98-AD14A48B53C0

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E473CD05-3320-4322-B437-F3A61E62F567

Internet Explorer 6 for Windows XP Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=7EAE62C0-3DA0-4BAC-B2FE-ECE89959053D

Internet Explorer 6 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4DC0FE8A-9D03-4AB8-8EAF-C85FF25CB1A2

Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E3C4DA1F-6FA2-4A2B-A6D9-24B599C353B3

Internet Explorer 6 for Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=82056EAB-8367-4B04-A11A-1002D14EB55B

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms05-014.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (98), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC