U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA04-336A)

Update Available for Microsoft Internet Explorer Vulnerability

Original release date: December 01, 2004 | Last revised: December 03, 2004

Systems Affected

Microsoft Windows systems running

Overview

Microsoft Security Bulletin MS04-040 contains an update to fix a buffer overflow vulnerability in Internet Explorer.


Description

TA04-315A describes a buffer overflow vulnerability in Microsoft Internet Explorer HTML elements that could allow a remote attacker to execute arbitrary code. Note that any program that hosts the WebBrowser ActiveX control could be affected. Microsoft Security Bulletin MS04-040 contains an update to fix this vulnerability.

The vulnerability is described in further detail in VU#842160.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE to crash.

Reports indicate that this vulnerability is being exploited by malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.

Solution

Install an update

Install the appropriate update according to Microsoft Security Bulletin MS04-040. For additional information about the update, including possible adverse effects, please see Microsoft Knowledge Base articles 889293 and 889669.

Internet Explorer 6 on Windows XP SP2 is not vulnerable. Please see MS04-040 for information about affected software and components.

Appendix A. References



Feedback can be directed to the authors: Will Dormann and Art Manion.



Revision History

  • December 1, 2004: Initial release
    December 3, 2004: Added information about IE 6 on Windows XP SP2

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top