New IE browser hole open to spammers

US-Cert have released a warning about a new buffer overflow vulnerability in Microsoft Internet Explorer (IE) that can be exploited to execute arbitrary code with the privileges of the user running IE.

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.

Other programs (e.g., Outlook, Outlook Express, AOL, Lotus Notes) that use the WebBrowser ActiveX control could be affected by this vulnerability. if you have a preview pane in the MS Outlook application you may become infected before you even have chance to delete the spam.

To avoid the possibility of being affected by this latest vulnerability do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

If you can, install Microsoft Windows XP SP2 as it does not appear to be affected by this vulnerability.

If you can’t upgrade to SP2 - configure your email client software to render email messages in plaint text. Instructions to configure Outlook 2002, Outlook 2003, and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594, 831607, and 291387, respectively.

Antivirus software may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Source: US-Cert - Vulnerability Note VU#842160

No tags

Comments are closed.