Last revised: December 23, 2005
Source: US-CERT
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
Overview
Microsoft has released updates that address critical vulnerabilities in Internet Explorer (IE). A remote, unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code or cause a denial of service on an affected system.
I. Description
The Microsoft Security Bulletins for December 2005 address vulnerabilities in Microsoft Windows and Internet Explorer. By convincing a user to view a specially crafted HTML document, such as a web page or an HTML email message or attachment, an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE or the program using the WebBrowser control to crash.
Further information is available in the following US-CERT Vulnerability Notes:
VU#887861 - Microsoft Internet Explorer vulnerable to code execution via mismatched DOM objects
Microsoft Internet Explorer fails to properly handle requests to mismatched DOM objects, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2005-1790)
VU#959049 - Several COM objects cause memory corruption in Microsoft Internet Explorer
Microsoft Internet Explorer allows instantiation of COM objects not designed for use in the browser, which may allow an attacker to execute arbitrary code or crash IE.
(CVE-2005-2127)
II. Impact
A remote, unauthenticated attacker exploiting these vulnerabilities could execute arbitrary code with the privileges of the user. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system or cause a denial of service.
The rest of the story can be found here
