U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (SA04-163A)

Cross-Domain Vulnerability in Internet Explorer

Original release date: June 11, 2004 | Last revised: July 30, 2004

Systems Affected

  • Microsoft Windows systems
  • Overview

    Microsoft Internet Explorer (IE) contains a flaw that could allow attackers to run programs of their choice on your computer.

    Description

    Microsoft IE uses a cross-domain security model to separate content from different sources. A flaw in the model makes IE vulnerable to a cross-domain violation. Attackers could exploit this flaw to execute programs on your computer.

    Resolution

    Apply a patch

    Micrososft has released a patch to resolve this issue. It is available from Microsoft Windows Update or Microsoft Security Bulletin MS04-025.

    Disable Active scripting and ActiveX controls

    Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.

    Do not follow unsolicited links

    Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

    Run and maintain an antivirus product

    It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

    References

    Author: Michael Durkota

    Copyright 2004 Carnegie Mellon University. Terms of use

    Revision History

    • June 11, 2004: Initial release
      July 30, 2004: Added patch information and links to MS04-025

    Last updated

    This product is provided subject to this Notification and this Privacy & Use policy.

    Was this document helpful?  Yes  |  Somewhat  |  No

    Back to Top