Microsoft IE/Outlook ActiveX Cross-Domain Script Execution Vulnerability (CVE-2003-0116) Analysis

Key Vulnerability Information Summary Vulnerability Overview Vulnerability Note: VU#244729 Release Date: 2003-05-05 Last Revised: 2003-05-06 Vulnerability Description Affected Software: Microsoft Internet Explorer, Outlook, Outlook Express, MSN Messenger, Eudora, Lotus Notes, Adobe PhotoDeluxe, AOL, and other software using the WebBrowser ActiveX control. Vulnerability Details: Internet Explorer does not properly validate window decoration parameters within dialog box frames, allowing malicious scripts to perform cross-domain execution, including accessing local files and data (such as cookies). Related Vulnerabilities: VU#626395 and VU#25249, which allow execution of arbitrary commands. Impact Attack Vector: Attackers can exploit specially crafted HTML documents (such as web pages or emails) to read data from other domains, including data from the Local Machine Zone. Potential Harm: Reading cookies, executing arbitrary commands, etc. Remediation 1. Apply Patches: - Install Q813489 or a later cumulative patch. - Refer to Microsoft Security Bulletin MS03-015. 2. Disable Active Scripting: - Disable Active scripting in the Internet zone and zones used by Outlook. 3. Apply Outlook Email Security Update: - Install the Outlook Email Security Update to prevent Active scripting execution in the Restricted Sites zone. 4. Update HTML Help: - Install updated HTML Help (Q811630) and disable certain HTML Help commands. 5. Restrict HTML Help Commands: - Refer to Microsoft Knowledge Base article 810687 to restrict or disable Shortcut and WinHelp commands. Additional Information CVE ID: CVE-2003-0116 Severity Score: 16.73 Public Disclosure Date: 2002-12-03 Initial Release Date: 2003-05-05

Goal Reached Thanks to every supporter — we hit 100%!

Microsoft IE/Outlook ActiveX Cross-Domain Script Execution Vulnerability (CVE-2003-0116) Analysis