Overview
Microsoft Agent contains a vulnerability that could allow a remote attacker to spoof trusted Internet content.
Description
Microsoft Agent is a software extension that enhances user interaction through the use of interactive personalities in the form of animated characters. Applications and web pages can be programmed to invoke Microsoft Agent to make navigation and other tasks easier and more natural for the user. A flaw in Microsoft Agent allows security prompts to be disguised by a Microsoft Agent character. As a result, users could be led to believe that they are accessing trusted Internet content when, in fact, they are accessing malicious Internet content. The user could subsequently be convinced to unintentionally allow the installation of malicious software. A remote attacker with the ability to craft a malicious web page and persuade or trick a user into visiting it could exploit this vulnerability. |
Impact
An attacker could spoof trusted Internet content, resulting in the installation of malicious code on the victim system. |
Solution
Apply a patch |
Workarounds
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits Michael Krax with discovering and reporting this issue to them.
This document was written by Chad Dougherty based on information provided by Microsoft.
Other Information
| CVE IDs: | CVE-2005-1214 |
| Severity Metric: | 9.00 |
| Date Public: | 2005-06-14 |
| Date First Published: | 2005-06-14 |
| Date Last Updated: | 2005-08-02 18:50 UTC |
| Document Revision: | 11 |