Severity: High
9 October , 2007
Summary:
Today, Microsoft released a security bulletin describing three vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted web page or into opening a maliciously crafted HTML email, an attacker could exploit five of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately. The patches fix the newly announced vulnerabilities, in addition to all previous ones.
Exposure:
In a security bulletin released today as part of their monthly patch update, Microsoft describes three vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0.
The worst of these three vulnerabilities has to do with a flaw in the way IE handles a certain error involving file downloads. Triggering this error in a particular way causes memory corruption. By luring one of your users into visiting a malicious web page that forces this error, an attacker can exploit this memory corruption vulnerability to execute code on that user’s computer, with that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of their machines.
Severity: High
9 October , 2007
Summary:
Today, Microsoft released a security bulletin describing three vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted web page or into opening a maliciously crafted HTML email, an attacker could exploit five of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately. The patches fix the newly announced vulnerabilities, in addition to all previous ones.
Exposure:
In a security bulletin released today as part of their monthly patch update, Microsoft describes three vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0.
The worst of these three vulnerabilities has to do with a flaw in the way IE handles a certain error involving file downloads. Triggering this error in a particular way causes memory corruption. By luring one of your users into visiting a malicious web page that forces this error, an attacker can exploit this memory corruption vulnerability to execute code on that user’s computer, with that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of their machines.
The remaining two flaws both involve unspecified address bar spoofing vulnerabilities. Though Microsoft doesn’t describe these flaws in technical detail, they do warn that attackers can exploit them in URL spoofing attacks. If you’d like to learn more about these vulnerabilities refer to the “Vulnerability Information” section of Microsoft’s bulletin .
Solution Path:
These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.
- Internet Explorer 5.01
- Internet Explorer 6.0
-
- Microsoft no longer supports 98, ME, or XP SP1
- For Windows 2000
- For Windows XP SP2
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
-
- Internet Explorer 7.0
For All WatchGuard Users:
These attacks travel as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches to fix these vulnerabilities.
References: