CERTA-2003-AVI-184

Vulnerability from certfr_avis - Published: - Updated:

Un correctif cumulatif pour Internet Explorer a été réalisé par Microsoft.

Description

  • 3 vulnérabilités permettent de contourner le cloisonnement mis en place au moyen des zones de sécurité au niveau d'Internet Explorer (CVE CAN-2003-0814 ; CVE CAN-2003-815 ; CVE CAN-2003-816).
  • Une vulnérabilité dans le traitement des objets XML permet à un concepteur d'un site web judicieusement composé de lire les fichiers locaux de l'utilisateur de la machine cible (CVE CAN-2003-817).
  • Une vulnérabilité dans la vérification de téléchargement depuis une page DHTML permet à un concepteur de site d'effectuer un téléchargement sur la machine cible sans que l'utilisateur en soit informé par une boite de dialogue (CVE CAN-2003-0823).

Solution

Appliquer le correctif de l'éditeur :

http://www.microsoft.com/technet/security/bulletin/MS03-048.asp
None
Impacted products
Vendor Product Description
Microsoft N/A Internet Explorer 6 Service ;
N/A N/A Internet Explorer 6 Service Pack 1 ;
Microsoft Windows Internet Explorer 6 Service Pack 1 Windows Server 2003 (64-bit Edition) ;
N/A N/A Internet Explorer 5.5 Service Pack 2 ;
Microsoft N/A Internet Explorer 5.01 Service Pack 3 ;
Microsoft N/A Internet Explorer 6 Service Pack 1 (64-bit Edition) ;
Microsoft N/A Internet Explorer 5.01 Service Pack 4 ;
Microsoft N/A Internet Explorer 5.01 Service Pack 2.
Microsoft Windows Internet Explorer 6 Service Pack 1 Windows Server 2003 ;
References
Bulletin Microsoft MS03-048 None vendor-advisory

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Internet Explorer 6 Service ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 6 Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 6 Service Pack 1 Windows Server 2003 (64-bit Edition) ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 5.5 Service Pack 2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 5.01 Service Pack 3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 6 Service Pack 1 (64-bit Edition) ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 5.01 Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 5.01 Service Pack 2.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Internet Explorer 6 Service Pack 1 Windows Server 2003 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\n-   3 vuln\u00e9rabilit\u00e9s permettent de contourner le cloisonnement mis en\n    place au moyen des zones de s\u00e9curit\u00e9 au niveau d\u0027Internet Explorer\n    (CVE CAN-2003-0814 ; CVE CAN-2003-815 ; CVE CAN-2003-816).\n-   Une vuln\u00e9rabilit\u00e9 dans le traitement des objets XML permet \u00e0 un\n    concepteur d\u0027un site web judicieusement compos\u00e9 de lire les fichiers\n    locaux de l\u0027utilisateur de la machine cible (CVE CAN-2003-817).\n-   Une vuln\u00e9rabilit\u00e9 dans la v\u00e9rification de t\u00e9l\u00e9chargement depuis une\n    page DHTML permet \u00e0 un concepteur de site d\u0027effectuer un\n    t\u00e9l\u00e9chargement sur la machine cible sans que l\u0027utilisateur en soit\n    inform\u00e9 par une boite de dialogue (CVE CAN-2003-0823).\n\n## Solution\n\nAppliquer le correctif de l\u0027\u00e9diteur :\n\n    http://www.microsoft.com/technet/security/bulletin/MS03-048.asp\n",
  "cves": [],
  "links": [],
  "reference": "CERTA-2003-AVI-184",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2003-11-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Acc\u00e8s aux donn\u00e9es utilisateur"
    }
  ],
  "summary": "Un correctif cumulatif pour Internet Explorer a \u00e9t\u00e9 r\u00e9alis\u00e9 par\nMicrosoft.\n",
  "title": "Correctif cumulatif pour Internet Explorer",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin Microsoft MS03-048",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.