Software Engineering Institute

Microsoft Internet Explorer is an application that ships with Microsoft Windows systems. It is used as an Internet browser as well as being integrated in to the local system. Internet Explorer has a security domain zone model to separate content that it parses and displays into various security domains. These security domains limit the ability of the content to perform tasks that could be dangerous such as scripting, execution of code, etc... A vulnerability in Internet Explorer permits content created with Dynamic HTML (DHTML) to operate in the Internet zone, rather than the less trusted Restricted zone.

The attacker must get the victim to visit a malicious site, or view malicious content in order to exploit this vulnerability. The content may be a web site or an HTML-parsable email message for example.

According to the Microsoft Security Bulletin, the following supported versions of Internet Explorer are affected:

• Internet Explorer 5.01 SP3
• Internet Explorer 5.01 SP4
• Internet Explorer 5.5 SP2
• Internet Explorer 6.0 Gold
• Internet Explorer 6.0 SP1
• Internet Explorer 6.0 for Windows Server 2003

Exploitation may permit an attacker to operate in the Internet zone, rather than the Restricted zone. In conjunction with other vulnerabilities, it may be possible to execute code in the local computer zone with the privileges of the current user.

Microsoft has released MS03-040 which addresses this issue. A similar vulnerability in Microsoft Windows Media Player is addressed in Microsoft Knowledgebase article 828026 (VU#222044).