From alerts@us-cert.gov Fri Jun 11 17:34:20 2004 From: US-CERT Alerts To: alerts@us-cert.gov Date: Fri, 11 Jun 2004 17:03:46 -0400 Subject: US-CERT Cyber Security Alert SA04-163A -- Cross-Domain Vulnerability in Internet Explorer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyber Security Alert SA04-163A Cross-Domain Vulnerability in Internet Explorer Original release date: June 11, 2004 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows systems Overview Microsoft Internet Explorer (IE) contains a flaw that could allow attackers to run programs of their choice on your computer. Description Microsoft IE uses a cross-domain security model to separate content from different sources. A flaw in the model makes IE vulnerable to a cross-domain violation. Attackers could exploit this flaw to execute programs on your computer. Resolution Apply a patch Although a patch is not yet available for this issue, it is a good practice to use Microsoft Windows Update to help ensure the security of your computer. Disable Active scripting and ActiveX Controls Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ. Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. Run and maintain an antivirus product It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible. References * US-CERT Technical Alert TA04-163A - * Vulnerability Note VU#713878 - * Microsoft Windows Update - * Malicious Web Scripts FAQ - * Protect Your PC - * Increase Your Browsing and E-Mail Safety - _________________________________________________________________ Author: Michael Durkota _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: _________________________________________________________________ Feedback: Please include the Subject line "SA04-104A Feedback VU#667571". _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Revision History June 11, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAyhYLXlvNRxAkFWARAh0vAKC3D0q77SYCL0LjV91eypbSB7YhJwCg/ctE KX/+5Db78A6vQjAZiTtKG78= =+CAJ -----END PGP SIGNATURE-----