Severity: High
11 December, 2007
Summary:
Today, Microsoft released a security bulletin describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately. The patches fix all previous vulnerabilities, in addition to the newly announced flaws.
Exposure:
In a security bulletin released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0. Though they differ technically, all four vulnerabilities share the same general flaw. IE doesn’t properly handle certain HTML objects, which causes memory corruption. By luring one of your users into visiting a maliciously crafted web page, an attacker can exploit these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could gain complete control of the victim computer.
Severity: High
11 December, 2007
Summary:
Today, Microsoft released a security bulletin describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately. The patches fix all previous vulnerabilities, in addition to the newly announced flaws.
Exposure:
In a security bulletin released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0. Though they differ technically, all four vulnerabilities share the same general flaw. IE doesn’t properly handle certain HTML objects, which causes memory corruption. By luring one of your users into visiting a maliciously crafted web page, an attacker can exploit these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could gain complete control of the victim computer.
Solution Path:
These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.
- Internet Explorer 5.01
- Internet Explorer 6.0
-
- Microsoft no longer supports 98, ME, or XP SP1
- For Windows 2000
- For Windows XP SP2
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
-
- Internet Explorer 7.0
For All WatchGuard Users:
These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches to fix these vulnerabilities.