eeye:Internet Explorer Object Data Remote Execution Vulnerability
Internet Explorer Object Data Remote Execution Vulnerability
Release Date:August 20, 2003
Reported Date:May 15, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Description:
eEye Digital Security has discovered a security vulnerability in Microsoft's
Internet Explorer that would allow executable code to run automatically upon
rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag,
which is used to embed basically all ActiveX into HTML pages. The parameter
that specifies the remote location of data for objects is not checked to
validate the nature of the file being loaded, and therefore trojan
executables may be run from within a webpage as silently and as easily as
Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including web sites,
e-mail, newsgroups, and within applications utilizing web-browsing
functionality.
