From alerts@us-cert.gov Fri Jun 11 17:34:20 2004
From: US-CERT Alerts <alerts@us-cert.gov>
To: alerts@us-cert.gov
Date: Fri, 11 Jun 2004 17:03:46 -0400
Subject: US-CERT Cyber Security Alert SA04-163A -- Cross-Domain
    Vulnerability in Internet Explorer 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cyber Security Alert SA04-163A 

Cross-Domain Vulnerability in Internet Explorer

   Original release date: June 11, 2004
   Last revised: --
   Source: US-CERT


Systems Affected

     Microsoft Windows systems


Overview

     Microsoft Internet Explorer (IE) contains a flaw that could allow
     attackers to run programs of their choice on your computer.


Description

     Microsoft IE uses a cross-domain security model to separate content
     from different sources. A flaw in the model makes IE vulnerable to
     a cross-domain violation. Attackers could exploit this flaw to
     execute programs on your computer.


Resolution

Apply a patch

     Although a patch is not yet available for this issue, it is a good
     practice to use Microsoft Windows Update to help ensure the
     security of your computer.

Disable Active scripting and ActiveX Controls

     Instructions for disabling Active scripting and ActiveX controls
     in the Internet Zone can be found in the Malicious Web Scripts
     FAQ.

Do not follow unsolicited links

     Do not click on unsolicited URLs received in email, instant
     messages, web forums, or internet relay chat (IRC) channels.

Run and maintain an antivirus product

     It is important that you use antivirus software and keep it up to
     date. Most antivirus software vendors frequently release updated
     information, tools, or virus databases to help detect and recover
     from virus infections. Many antivirus packages support automatic
     updates of virus definitions. US-CERT recommends using these
     automatic updates when possible.


References

     * US-CERT Technical Alert TA04-163A -
       <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>

     * Vulnerability Note VU#713878 -
       <http://www.kb.cert.org/vuls/id/713878>

     * Microsoft Windows Update -
       <http://windowsupdate.microsoft.com/>

     * Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html>

     * Protect Your PC -
       <http://www.microsoft.com/security/protect/default.asp>

     * Increase Your Browsing and E-Mail Safety -
       <http://www.microsoft.com/security/incident/settings.mspx>

     _________________________________________________________________

   Author:  Michael Durkota
     _________________________________________________________________


   Copyright 2004 Carnegie Mellon University.

   Terms of use:  <http://www.us-cert.gov/legal.html>

     _________________________________________________________________

   Feedback:  <mailto:cert@cert.org>

   Please include the Subject line "SA04-104A Feedback VU#667571".
     _________________________________________________________________


   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/alerts/SA04-163A.html>

     _________________________________________________________________


   Revision History

   June 11, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyhYLXlvNRxAkFWARAh0vAKC3D0q77SYCL0LjV91eypbSB7YhJwCg/ctE
KX/+5Db78A6vQjAZiTtKG78=
=+CAJ
-----END PGP SIGNATURE-----