Notified:  June 05, 2000 Updated: October 25, 2000

Status

Affected

Vendor Statement

Microsoft recommends customers using Microsoft Internet Explorer version 4.0, 4.01, 5.0, or 5.01 apply the patch discussed in http://microsoft.com/technet/security/bulletin/ms00-037.asp and routinely use the Security Zones feature. The Security Zones feature of Internet Explorer allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Since most people visit a small number of familiar, professionally-operated web sites, and it's unlikely that such a site would pose any risk, we recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in each of these zones. In addition Microsoft recommends Outlook users install the Outlook Security Update http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm to protect against mail-borne attacks.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

As described in the Vulnerability Note and in the CERT Advisory, there are several configurations which continue to be vulnerable to this problem.