CERT-In Vulnerability Note CIVN-2005-112
Microsoft Internet Explorer "window()" object Vulnerability
Updated: December 15, 2005
Original Issue Date: November 22, 2005
Severity Rating: High
Systems Affected
Microsoft Internet Explorer 5.5 SP2 and 6.x running on
- Windows 95
- Windows 98 Any Edition
- Windows Me
- Windows XP Any Edition with SP1/SP2
- Windows 2000 Any Edition with SP4
- Windows 2003 Any Edition with SP1 with the Enhanced Security Configuration turned off
- Small Business Server Any Edition
- Windows NT 4.0
Overview
A vulnerability has been reported in Microsoft Internet Explorer versions 5.5 and 6.x that allows a remote user to execute arbitrary code or Denial of service.
Description
It has been observed that the Microsoft Internet Explorer 5.5 and 6.x fails to properly initialized the JavaScript "Window()" function, when used in conjunction with a <BODY onload> event. A remote attacker could use this vulnerability to execute arbitrary code or denial of service.
It has been observed that exploit code for this vulnerability is available on the Internet.
Workaround
Disable Active Scripting for untrusted sites.
Solution
Apply appropriate security update as mentioned in the Microsoft Security Bulletin MS05-054.
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/advisory/911302.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx
References
Secunia Advisory
http://secunia.com/advisories/15546/
SecurityFocus Advisory
http://www.securityfocus.com/bid/13799
Xforce
http://xforce.iss.net/xforce/xfdb/20783
US-CERT VU#887861
http://www.us-cert.gov/current/current_activity.html#iewindow
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
