This is the last known contents of the Unpatched IE security holes page before it was taken down. It tracks IE security holes up until 11 September 2003 and is no longer current.

Home | StrikeFirst | Solutions | Press & Papers | Clients | Research | Contact

Unpatched IE security holes

Please note: this site will work in any browser and on any device, however will look much nicer on CSS-compatible browsers. If you are using a browser that supports CSS, please wait while the CSS file loads and this message will disappear.
If you wish to enjoy the web to the fullest, please upgrade to a standards-compatible browser.

Why this page ?

This page is a list of vulnerabilities that remain unpatched, it is our hope that the increased awareness brought forth may help further the research necessary to properly secure them.
Vulnerabilities listed on this page work (among others) with the latest versions of Internet Explorer, with all patches installed.
Until proper patches have been provided, the only fix to some of these vulnerabilities is to disable scripting.

This page is, and always will be, a work in progress. This is not a definitive list of vulnerabilities.

Back

Miscellaneous news

11 September 2003: There are currently 31 unpatched vulnerabilities.

The latest cumulative Internet Explorer patch
is released August 20, 2003 with the identifier MS03-032.
Cumulative patches combine all previous IE patches, and should be considered mandatory installs.

11 September 2003: Added Media bar ressource injection by jelmer
10 September 2003: Added file-protocol proxy by Liu Die Yu
10 September 2003: Added NavigateAndFind protocol history by Liu Die Yu
10 September 2003: Added window.open search injection by Liu Die Yu
10 September 2003: Added NavigateAndFind file proxy by Liu Die Yu
10 September 2003: Added Timed history injection by Liu Die Yu
10 September 2003: Added history.back method caching by Liu Die Yu
10 September 2003: Added Click hijacking by Liu Die Yu
9 September 2003: Re-added Re-evaluating HTML elavation
26 August 2003: Added ADODB.Stream local file writing by jelmer
20 August 2003: Changed latest cumulative IE patch link, MS03-032 released
5 August 2003: Added Notepad popups by Richard M. Smith
4 August 2003: Added protocol control chars by badWebMasters
Older news...

Unpatched vulnerabilities

Media bar ressource injection
Description: Arbitrary file download and execution, by ability to load ressource files in a window object
Reference: http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
Exploit: http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm

file-protocol proxy
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM
Exploit: http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage.HTM

NavigateAndFind protocol history
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM
Exploit: http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyPage.HTM

window.open search injection
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
Exploit: http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm

NavigateAndFind file proxy
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM
Exploit: http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm

Timed history injection
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM
Exploit: http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyPage.HTM

history.back method caching
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference: http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM
Exploit: http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM

Click hijacking
Description: Pointing IE mouse events at non-IE/system windows
Reference: http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM
Exploit: http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM

Re-evaluating HTML elavation dataSrc command execution
Description: Allows execution of arbitrary commands in Local Zones
Detail: This bug is related to the codebase local path bug, but details the actual issue and runs without scripting or ActiveX enabled
Published: February 28th 2002
Reference: http://security.greymagic.com/adv/gm001-ie/
Example exploit: http://security.greymagic.com/adv/gm001-ie/advbind.asp
Note: See 6th May 2003 Notes.

Notes September 2003:
Renamed and re-added, symptom fixed instead of problem. Now demonstrates how to reach HTA functionality.
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
Example exploit: http://www.malware.com/badnews.html
Example exploit without scripting: http://www.malware.com/greymagic.html
Temporary workaround: Change the mime-type application/hta to something else

ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit: http://ip3e83566f.speed.planet.nl/eeye.html (but unrelated to the EEye exploit)

Notepad popups
Description: Opening popup windows without scripting
Reference: http://computerbytesman.com/security/notepadpopups.htm
Followup: http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html
Note: This is just an example of the problem, this entry will be replaced when more material is published

protocol control chars
Description: Circumventing content filters
Reference: http://badwebmasters.net/advisory/012/
Exploit: http://badwebmasters.net/advisory/012/test2.asp

WMP local file bounce
Description: Switching security zone, arbitrary command execution, automatic email-borne command execution
Reference: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=6783
Exploit: http://www.malware.com/once.again!.html

HTTP error handler Local Zone XSS
Description: HTML/Script injection in the Local Zone
Reference: http://sec.greymagic.com/adv/gm014-ie/
Exploit: http://sec.greymagic.com/adv/gm014-ie/

XSS in Unparsable XML Files
Description: Cross-Site Scripting on any site hosting files that can be misrendered in MSXML
Reference: http://sec.greymagic.com/adv/gm013-ie/
Exploit: http://sec.greymagic.com/adv/gm013-ie/

Alexa Related Privacy Disclosure
Description: Unintended disclosure of private information when using the Related feature
Reference: http://www.secunia.com/advisories/8955/
Reference: http://www.imilly.com/alexa.htm

Basic Authentication URL spoofing
Description: Spoofing the URL displayed in the Address bar
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html

DNSError folder disclosure
Description: Gaining access to local security zones
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html

mhtml wecerr CAB flip
Description: Delivery and installation of an executable
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html

WebFolder data Injection
Description: Injecting arbitrary data in the My Computer zone
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html

codebase local path
Description: Allows execution of arbitrary commands in Local Zones
Hinted: June 25th 2000 by Dildog
Reference: http://online.securityfocus.com/archive/1/66869
Hinted: November 23rd 2000 by Georgi Guninski
Reference: http://www.guninski.com/parsedat-desc.html
Published: January 10th 2002, by thePull (incorrectly labeled the "Popup object" vulnerability)
Reference: http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html
Example exploit: http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
Note: See 6th May 2003 Notes.

Web Archive buffer overflow
Description: Possible automated code execution.
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html

dragDrop invocation
Description: Arbitrary local file reading through native Windows dragDrop invocation.
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html
Exploit: http://kuperus.xs4all.nl/security/ie/xfiles.htm

document.domain parent DNS resolver
Description: Improper duality check leading to firewall breach
Published: July 29 2002
Reference: http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-08-02/0

FTP Folder View XSS
Description: Elevating privileges, running script in the My Computer zone, arbitrary command execution, etc.
Published: June 7th 2002 (Microsoft was notified December 21st 2001.)
Reference: http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
Exploit: http://jscript.dk/Jumper/xploit/ftpfolderview.html

DynSrc Local File detection
Description: Detect if a local file exists, and read its size/date
Published: March 27th 2002
Reference: http://security.greymagic.com/adv/gm003-ie/

Status: Patched in IE6 by IE6 Service Pack 1, but IE5 and 5.5 are still vulnerable.

Security zone transfer
Description: Automatically opening IE + Executing attachments
Published: March 22nd 2002
Reference: http://security.greymagic.com/adv/gm002-ie/

Extended HTML Form Attack
Description: Cross Site Scripting through non-HTTP ports, stealing cookies, etc.
Published: February 6th 2002
Reference: http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerable-to-extended-form-attack.htm

"script src" local file enumeration
Description: Enables a malicious programmer to detect if a local file exists.
Published: January 3rd 2002
Reference: http://www.securityfocus.com/bid/3779
Example exploit: http://jscript.dk/Jumper/xploit/scriptsrc.html

IE https certificate attack
Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime
Published: December 22 2001 ( Stefan Esser )
Published: June 6 2000 ( ACROS )
Reference: http://security.e-matters.de/advisories/012001.html
Example exploit: http://suspekt.org/

Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch.

Patched vulnerabilities

These used to be listed on this page, but have now been patched. Hopefully, this means that this page is working as expected.

Content-Disposition/Type
Description: Allows spoofing of filename in download dialog
Published: November 26th 2001
Reference: http://www.securityfocus.com/cgi-bin/archive.pl?id=1&threads=1&tid=242376
Patched: December 13th 2001 ( http://www.microsoft.com/technet/security/bulletin/MS01-058.asp )
Re-Published: December 16th (by HTTP-EQUIV, patch didn't work)
Reference: http://online.securityfocus.com/archive/88/245822
Example exploit: http://jscript.dk/Jumper/xploit/contentspoof.asp
Finally patched by MS02-005 (nice touch about blurring Open)

XMLHTTP
Description: Allows reading of local files
Published: December 15th 2001
Reference: http://www.securityfocus.com/bid/3699
Example exploit: http://jscript.dk/Jumper/xploit/xmlhttp.asp
Finally completely patched by MS02-008

document.open
Description: Allows cross-domain scripting (reading cookies from other site, etc.)
Published: December 19th 2001
Reference: http://www.securityfocus.com/bid/3721
Example exploits: http://tom.me.uk/MSN/ & http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html
Patched by MS02-005

GetObject
Description: Allows reading of local files (any type, even binary)
Published: January 1st 2002
Reference: http://www.securityfocus.com/bid/3767
Example exploit: http://jscript.dk/Jumper/xploit/GetObject.html
Patched by MS02-005

Cookie-based Script Execution
Description: Injecting script in the Local Zone.
Published: April 3rd 2002
Reference: http://online.securityfocus.com/archive/1/265459

Status: Partly patched by MS02-015, easily circumvented.
Patched by MS02-023

File download execution
Description: Download and execute any program automatically
Published: March 18th 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/48_e.html
History: Added March 23rd, removed March 26th, re-added March 27th
Details: http://www.newsbytes.com/news/02/175484.html

Patched by MS02-023

OWC Local File Detection
Description: Multiple local files detection issues
Published: April 8th 2002
Reference: http://security.greymagic.com/adv/gm008-ie/
Exploit: http://security.greymagic.com/adv/gm008-ie/
Pached by MS02-044

OWC Clipboard Access
Description: Complete clipboard access even with Clipboard Disabled
Published: April 8th 2002
Reference: http://security.greymagic.com/adv/gm007-ie/
Exploit: http://security.greymagic.com/adv/gm007-ie/
Pached by MS02-044

OWC Local File Reading
Description: Reading local and remote files with OWC in IE
Published: April 8th 2002
Reference: http://security.greymagic.com/adv/gm006-ie/
Exploit: http://security.greymagic.com/adv/gm006-ie/
Pached by MS02-044

OWC Scripting
Description: Running script even with Scripting Disabled
Published: April 8th 2002
Reference: http://security.greymagic.com/adv/gm005-ie/
Exploit: http://security.greymagic.com/adv/gm005-ie/advowcscr.asp
Pached by MS02-044

Remote dialogArguments interaction
Description: Elevating privileges, hijacking MSN Messenger, running script in the My Computer zone, arbitrary command execution, etc.
Published: April 16th 2002
Reference: http://jscript.dk/adv/TL002/
Exploit: http://jscript.dk/adv/TL002/

Appendix: Extending the vulnerable version from just IE6 to IE5 and higher.
Reference and exploit: http://security.greymagic.com/adv/gm001-ax/

Status: Partly patched by MS02-023, IE6 appears fixed while IE5.5 and 5 are still wide open.
Patched by MS02-047

Gopher buffer overflow
Description: Delivery and execution of arbitrary code
Published: June 4th 2002
Reference: http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en
Workaround: http://www.microsoft.com/technet/security/bulletin/MS02-027.asp
Third-party fix: http://www.pivx.com/gopher_smoker.html
Patched by MS02-047

object Cross Domain Scripting
Description: Elevating privileges, arbitrary command execution, local file reading, stealing arbitrary cookies, etc.
Published: July 10 2002
Reference: http://www.pivx.com/larholm/adv/TL003/
Exploit: http://www.pivx.com/larholm/adv/TL003/
Patched by MS02-047

IE dot bug
Description: Overriding filetype handlers on local files
Published: May 19th 2002
Reference: http://online.securityfocus.com/archive/1/273168/2002-05-18/2002-05-24/0
Patched by MS02-047

XP Help deleter
Description: Arbitrary local file/folder deletion.
Published: August 15 2002
Reference: http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00224.html
Exploit: http://jscript.dk/2002/8/sec/xphelpdelete.html
Patched by Windows XP SP1

delegated SSL authority
Description: HTTPS spoofing, man-in-the-middle attacks, etc.
Published: August 6 2002
Reference: http://www.thoughtcrime.org/ie-ssl-chain.txt
Reference: http://arch.ipsec.pl/inteligo.html
Exploit: http://www.thoughtcrime.org/ie.html
Appears patched by MS02-050

Who framed Internet Explorer
Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
Published: September 9 2002
Reference: http://sec.greymagic.com/adv/gm010-ie/
Exploit: http://sec.greymagic.com/adv/gm010-ie/wfsimple.html
Patched by MS02-066

iframe Document - The D-day
Description: Circumventing zone sandboxing, XSS, cookie theft, local file reading / execution
Published: October 15 2002
Reference: http://security.greymagic.com/adv/gm011-ie/
Exploits: http://security.greymagic.com/adv/gm011-ie/
Patched by MS02-066

object zone redirection
Description: Circumventing the zone restrictions introduced by IE6 SP1
Published: September 10 2002
Reference: http://www.pivx.com/larholm/adv/TL005/
Reference: http://online.securityfocus.com/bid/5730/discussion/
Patched by MS02-066

showModalDialog method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

createRange method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

elementFromPoint method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

getElementById method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

getElementsByName method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

getElementsByTagName method caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

execCommand method caching
Description: Read access to the foreign document.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-066

document.write method caching
Description: Spoofing of content
Published: October 21 2002
Reference: http://online.securityfocus.com/archive/1/296371/2002-10-19/2002-10-25/0
Exploit: http://clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.
Patched by MS02-066

"assign" method caching
Description: Circumventing zone sandboxing, cross-protocol scripting, cookie theft, and possible local file reading / execution
Published: October 1 2002
Reference: http://online.securityfocus.com/archive/1/293692/2002-09-29/2002-10-05/0
Exploit: http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
Exploit: http://jscript.dk/2002/10/sec/SaveRefLocalFile.html (local file reading and execution)
Patched by MS02-066

Slash URL encoding XSS
Description: Arbitrary Cross Domain Scripting, cookie theft, etc.
Published: September 3 2002
Reference: http://online.securityfocus.com/archive/1/290220/2002-09-01/2002-09-07/0
Exploit: http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
Patched by MS02-066

HTML Help ActiveX
Description: stack and heap based buffer overflows, DOS
Published: May 27th 2002
Reference: http://www.nextgenss.com/vna/ms-whelp.txt
Reference: http://online.securityfocus.com/bid/4857
Believed to be Patched by MS02-066

external object caching
Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS02-068

MS JVM native method vulnerabilities
Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
Published: September 9 2002
Reference: http://www.solutions.fi/index.cgi/news_2002_09_09?lang=eng
Patched by MS03-011

Self-executing HTML Help
Description: Delivery and execution of arbitrary programs
Published: June 1st 2002
Reference: http://www.malware.com/yelp.html
Reference: http://online.securityfocus.com/archive/1/275126
Exploit: http://www.malware.com/html.zip
Patched by MS03-015

cross-frame dialogArguments access
Description: Circumventing security zones, local file reading / execution, etc.
Published: November 20 2002
Reference: http://online.securityfocus.com/archive/1/300525/2002-11-17/2002-11-23/0
Exploit: http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm
Extended Exploit: http://security.greymagic.com/misc/globalDgArg/
Patched by MS03-015

clipboardData object caching
Description: Read/write access to the clipboard, regardless of settings.
Published: October 22 2002
Reference: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Exploit: http://sec.greymagic.com/adv/gm012-ie (cumulative advisory)
Patched by MS03-015

Java XMLDSO base tag
Description: Arbitrary local file reading.
Published: August 17 2002
Reference: http://online.securityfocus.com/archive/1/287895/2002-08-15/2002-08-21/0
Exploit: http://www.xs4all.nl/~jkuperus/msieread.htm
Patched by MS03-011 and MS03-015

CTRL-key file upload focus
Description: Local file reading, downloading and executing arbitrary code.
Published: July 23 2002
Reference: http://online.securityfocus.com/archive/1/283866/2002-07-21/2002-07-27/0
Exploit: http://jscript.dk/2002/7/sec/sandbladctrl.html (corrected to include SHIFT)
Patched by MS03-015

Back Button CSS
Description: Read cookies/local files and execute code (triggered when user hits the back button)
Published: April 15th 2002
Reference: http://online.securityfocus.com/archive/1/267561
Patched by MS03-015

HELP.dropper (IE6, OE6, Outlook)
Description: Silent delivery and installation of an executable on a target computer
Published: March 28th 2002
Reference and example exploit: http://www.malware.com/lookout.html
Reference: http://online.securityfocus.com/archive/1/264590
Patched by MS03-015

JVM Bytecode Verifier
Description: Escaping applet sandbox restrictions, taking any action.
Published: November 21 2002
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html
Reference / POC: http://lsd-pl.net/java_security.html
Patched by MS03-011

Embedded files XSS
Description: XSS to arbitrary sites, cookie theft
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/218.html
Exploit: http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
Patched by MS03-015

dialog style XSS
Description: security zone XSS, cookie theft, monitoring the user.
Published: December 3 2002
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/29.html
Exploit: http://jscript.dk/2002/11/sec/diemodalstyleXSS.html
Patched by MS03-015

WMP Stench
Description: Silent delivery and installation of an executable on a target computer
Published: August 21 2002
Reference: http://www.malware.com/stench.html
Exploit: http://www.malware.com/malware.php
Patched by MS03-015

cssText Local File Reading
Description: Reading portions of local files, depending on structure.
Published: April 2nd 2002
Reference: http://security.greymagic.com/adv/gm004-ie/
Exploit: http://security.greymagic.com/adv/gm004-ie/
Patched by MS03-015

object longtype
Description: Code execution
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/49.html
Exploit: http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/78.html
Patched by MS03-020

remote file request flooding
Description: Arbitrary remote file execution
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/130.html
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/147.html
Exploit: http://www.malware.com/forceframe.html
Patched by MS03-020

local file request flooding
Description: Arbitrary local file execution
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/85.html
Patched by MS03-020

align buffer overflow
Description: Buffer overflow, arbitrary code execution
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/170.html
Patched by MS-3_023

Related patches

MS02-008
Patches: XMLHTTP
Published: February 22nd 2002 (21st February in USA)
Location: http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

MS02-044
Patches: OWC Local File Detection, OWC Clipboard Access, OWC Local File Reading & OWC Scripting
Published: August 20th 2002
Location: http://microsoft.com/technet/security/bulletin/MS02-044.asp

IE6 Service Pack 1
Patches: cssText and DynSrc
Published: September 9th 2002
Location: http://microsoft.com/windows/ie/downloads/critical/ie6sp1/

Windows XP Service Pack 1
Patches: Everything IE6 SP1 patches, and XP Help deleter
Published: September 9th 2002
Location: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/

MS02-050
Patches: delegated SSL authority
Published: September 4th 2002, last updated October 17th 2002
Location: http://microsoft.com/technet/security/bulletin/MS02-050.asp

MS03-011
Patches: ByteCode Verifier and all previous JVM related vulnerabilities, this is MS JVM build 3810.
Published: April 9th 2003
Location: http://www.microsoft.com/technet/security/bulletin/MS03-011.asp

MS03-020
Notice: This is the latest IE cumulative patch. This combines all previous IE patches.
Patches: object longtype overflow
Published: June 4th 2003
Location: http://www.microsoft.com/technet/security/bulletin/MS03-020.asp

MS03-032
Notice: This is the latest IE cumulative patch. This combines all previous IE patches.
Patches: OBJECT HTA execution, and other not publicly known vulnerabilities
Published: August 20th 2003
Location: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

MS03-023
Patches: align buffer overflow
Published: July 10 2003
Location: http://www.microsoft.com/technet/security/bulletin/MS03-023.asp

Who

Please mail any questions or comments to

thor (at) pivx (dot) com