-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Alert SA04-315A
Vulnerability in Microsoft Internet Explorer
Original release date: November 10, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Internet Explorer versions 6.0 and later; previous versions of
Internet Explorer may also be affected
Overview
By taking advantage of a vulnerability in Internet Explorer, an
attacker may be able to take control of your computer.
Solution
Upgrade to Windows XP SP2
Windows XP Service Pack 2 does not seem to be affected. If you are
running Windows XP, you can install Service Pack 2 using Windows
Update or Automatic Updates.
Follow good security practices
The following practices may offer additional protection against
this vulnerability:
* Disable Active scripting - Attackers may be able to take advantage
of Active scripting to exploit this vulnerability. Instructions
for disabling Active scripting are available in the Malicious Web
Scripts FAQ.
* Don't follow unsolicited links - By convincing you to follow a
link, an attacker may be able to send you to a malicious site.
Don't click on unsolicited URLs received in email, instant
messages, web forums, or Internet relay chat (IRC) channels.
* Read and send email in plain text format - Many email clients use
the same programs as web browsers to display HTML, so
vulnerabilities that affect active content like JavaScript and
ActiveX often apply to email.
* Maintain updated anti-virus software - It is important that you
use anti-virus software and keep it up to date. Most anti-virus
software vendors frequently release updated information, tools, or
virus databases to help detect and recover from virus infections.
Many anti-virus packages support automatic updates of virus
definitions. US-CERT recommends using these automatic updates when
possible.
Description
There is a vulnerability in the way Internet Explorer processes
certain HTML code. By exploiting the vulnerability, an attacker may
be able to take control of your computer or cause a denial of
service.
For more technical information, see TA04-315A.
References
* Browsing Safely: Understanding Active Content and Cookies -
<http://www.us-cert.gov/cas/tips/ST04-012.html>
* Understanding Anti-Virus Software -
<http://www.us-cert.gov/cas/tips/ST04-005.html>
* Understanding Denial-of-Service Attacks -
<http://www.us-cert.gov/cas/tips/ST04-015.html>
* Security Improvements in Windows XP Service Pack 2 -
<http://www.us-cert.gov/cas/alerts/SA04-243A.html>
* US-CERT Technical Cyber Security Alert TA04-315A -
<http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
* Vulnerability Note VU#842160 -
<http://www.kb.cert.org/vuls/id/842160>
_________________________________________________________________
Feedback can be directed to US-CERT.
Send mail to <cert@cert.org>.
Please include the Subject line "SA04-315A Feedback VU#842160".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
This document is available from
<http://www.us-cert.gov/cas/alerts/SA04-315A.html>
_________________________________________________________________
Revision History
November 10, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZJ64RhoSezw4YfQAQIjGAf/d7SlNBlHP2JCLvb40mvwIhBAsLwEUsB3
BOtfIJFV8tec382fHAEVQDL/PRU049xmdiaGTj8UMKY3gVP8AUYP40guebt7Ujap
C2ijCVRFCWm7kAczwRXh8C0fes6SuOMBPoyMdbrnVaccRJaEuhSzgnYIiOs88a0C
RD/XZfcteJDUOAvV/J0iccPyng91uJahhC964BW/HrSO3rgrpValnmf2jEPckPfl
vYGPdpZ+wcDbzspROvwwLZRcdY/iZD6t1TFkH1kSDHe4oMj5FZbbD+PNCTOVZ/y+
SU0PepVndJgW6olw8VxK6dqUrNyMStEkdsVqwNCYuIAVRVDLZfT4nA==
=44Pc
-----END PGP SIGNATURE-----
