U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA05-347A)

Microsoft Internet Explorer Vulnerabilities

Original release date: December 13, 2005 | Last revised: December 23, 2005

Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security Bulletin Summary for December 2005.

Overview

Microsoft has released updates that address critical vulnerabilities in Internet Explorer (IE). A remote, unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code or cause a denial of service on an affected system.

Description

The Microsoft Security Bulletins for December 2005 address vulnerabilities in Microsoft Windows and Internet Explorer. By convincing a user to view a specially crafted HTML document, such as a web page or an HTML email message or attachment, an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE or the program using the WebBrowser control to crash.

Further information is available in the following US-CERT Vulnerability Notes:

VU#887861 - Microsoft Internet Explorer vulnerable to code execution via mismatched DOM objects

Microsoft Internet Explorer fails to properly handle requests to mismatched DOM objects, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2005-1790)

VU#959049 - Several COM objects cause memory corruption in Microsoft Internet Explorer

Microsoft Internet Explorer allows instantiation of COM objects not designed for use in the browser, which may allow an attacker to execute arbitrary code or crash IE.
(CVE-2005-2127)

Impact

A remote, unauthenticated attacker exploiting these vulnerabilities could execute arbitrary code with the privileges of the user. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system or cause a denial of service.

Solution

Apply Updates

Microsoft has provided the updates for these and other vulnerabilities in the December 2005 Security Bulletins and on the Microsoft Update site.

Disable ActiveX

Disable ActiveX to prevent IE from instantiating COM objects. Disabling ActiveX in the Internet Zone will provide increased protection against the vulnerabilities described in VU#959049 and VU#680526. Instructions for disabling ActiveX are available in the CERT/CC Malicious Web Scripts FAQ. Note that disabling ActiveX will reduce the functionality of some web sites. For example, the Microsoft Update site will not work with ActiveX disabled. To enable ActiveX for a web site, add that site to the Trusted Sites Zone. The default settings for the Trusted Sites Zone enable ActiveX.

The updates provided by MS05-037, MS05-038, MS05-052, and MS05-054 set the kill bit for a number of vulnerable COM objects. There may, however, be other vulnerable COM objects that have not yet been identified. To protect against future threats, consider disabling ActiveX in addition to applying the MS05-054 update.


Appendix A. References


Feedback can be directed to the US-CERT Technical Staff.

Revision History

  • December 13, 2005: Initial release, added workaround for ActiveX use in Trusted Sites Zone
    December 23, 2005: Updated Solution to disable ActiveX and apply update

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top