- Internet Explorer versions 6.0 and later
By taking advantage of a vulnerability in Internet Explorer, an attacker may be able to take control of your computer.
Apply an update
Upgrade to Windows XP SP2
Follow good security practices
The following practices may offer additional protection against this vulnerability:
- Disable Active scripting - Attackers may be able to take advantage of Active scripting to exploit this vulnerability. Instructions for disabling Active scripting are available in the Malicious Web Scripts FAQ.
- Don't follow unsolicited links - By convincing you to follow a link, an attacker may be able to send you to a malicious site. Don't click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
- Maintain updated anti-virus software - It is important that you use anti-virus software and keep it up to date. Most anti-virus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many anti-virus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.
There is a vulnerability in the way Internet Explorer processes certain HTML code. By exploiting the vulnerability, an attacker may be able to take control of your computer or cause a denial of service.
For more technical information, see TA04-315A.
- Windows Security Update for December 2004 - <http://www.microsoft.com/security/bulletins/200412_windows.mspx>
- Browsing Safely: Understanding Active Content and Cookies - <http://www.us-cert.gov/cas/tips/ST04-012.html>
- Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
- Understanding Denial-of-Service Attacks - <http://www.us-cert.gov/cas/tips/ST04-015.html>
- Security Improvements in Windows XP Service Pack 2 - <http://www.us-cert.gov/cas/alerts/SA04-243A.html>
- US-CERT Technical Cyber Security Alert TA04-315A - <http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
- US-CERT Technical Cyber Security Alert TA04-336A - <http://www.us-cert.gov/cas/techalerts/TA04-336A.html>
- Vulnerability Note VU#842160 - <http://www.kb.cert.org/vuls/id/842160>
November 10, 2004: Initial release
December 3, 2004: Added information about MS04-040 update, SA04-336A, and TA04-336A, updated Systems Affected