[Am-info] Microsoft Internet Explorer Multiple Vulnerabilities - AGAIN!!

[Fred A. Miller]

Microsoft Internet Explorer Multiple Vulnerabilities

TITLE:
Microsoft Internet Explorer Multiple Vulnerabilities

READ ONLINE:
http://www.secunia.com/advisories/9580/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
=46rom remote

SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01

DESCRIPTION:
Microsoft has issued a cumulative patch which fixes multiple
vulnerabilities. The worst could lead to execution of arbitrary code
on the client system via HTML emails or web sites.

1) A cross domain vulnerability exists in the way Internet Explorer
retrieves files from the cache. This could be exploited by a malicous
HTML document to execute arbitrary scripting in the "My Computer
Zone".

2) Internet Explorer does not properly determine object types. This
could possibly be exploited by malicious HTML documents to execute
arbitrary code.

3) The Kill Bit is will be set on the Windows Reporting Tool ActiveX
control "BR549.DLL". This ActiveX control contains a vulnerability
which could be exploited by malicious HTML documents to execute
arbitrary code.

=46urthermore, a language specific variant of the older object type tag
buffer overflow vulnerability (MS03-020) has been identified and is
fixed in this patch.

This update also fixes other minor issues.

SOLUTION:
The patch is available from

http://windowsupdate.microsoft.com/

or=20

http://www.microsoft.com/windows/ie/downloads/critical/822925/default.asp

REPORTED BY / CREDITS:
Yu-Arai, LAC
eEye Digital Security
Greg Jones, KPMG UK

ORIGINAL ADVISORY:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

=2D-=20
"...Linux, MS-DOS, and Windows XP (also known as the Good, the Bad, and
the Ugly)."