Info

Disclosure

Aug 14, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Aug 14, 2007

Description

Microsoft IE contains a flaw that may allow a malicious user to gain the same user rights as the logged in user. The issue is triggered when IE parses certain strings in CSS. It is possible for a malacious person to construct a specially crafted website which could remotely execute code on the visitor's computer.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation, Other
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to IE version 6 or 7, as it has been reported to fix this vulnerability. Additionally, the vendor has released the MS07-045 cummulative security update to address this issue. Otherwise, users may opt to apply the following workaround: do not browse untrusted websites.

Products

Microsoft Corporation

Internet Explorer for Windows

5.0.1 SP4

References

Security Tracker: 1018562
OVAL ID: 1673
CVE ID: 2007-0943 (see also: NVD)
Bugtraq ID: 25288
Secunia Advisory ID: 26419
SCIP VulDB ID: 3243
Related OSVDB ID: 36395 36396
Microsoft Knowledge Base Article: 937143
VUPEN Advisory: ADV-2007-2869
News Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9030696
Other Advisory URL: http://www.nsfocus.com/english/homepage/research/0701.htm
Microsoft Security Bulletin: MS07-045

Credit

Hu Qianwei - -

Direct URL: http://osvdb.org/36397