Description: Microsoft has issued a cumulative patch, which fixes multiple vulnerabilities in Internet Explorer. These vulnerabilities can potentially be exploited to bypass Internet Explorer security restrictions and execute arbitrary code with the privileges of the current user.
Three different vulnerabilities allows malicious HTML documents such as emails or web pages to bypass the security zone restrictions and to perform actions in the Local Zone (My Computer Zone). These vulnerabilities can be exploited to execute code with the privileges of the current user.
One vulnerability allows malicious HTML documents to bypass the security zone restrictions using an XML object. This can be exploited to read arbitrary local files on the system.
One vulnerability allows malicious HTML documents to manipulate the way drag-and-drop works in DHTML events. This can be exploited to trick a user into accepting to download a file by making the user click a malicious link. The file can be saved in an arbitrary location.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector.
Changelog: 2003-11-19: Added link to CERT vulnerabilty note.
2003-11-20: Added link to CERT vulnerabilty notes.
2004-03-02: Added Windows XP Embedded as affected.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
