search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems

Vulnerability Note VU#334928

Original Release Date: 2003-08-26 | Last Revised: 2005-08-11

Overview

Certain versions of Microsoft Internet Explorer (IE) that support double-byte character sets (DBCS) contain a buffer overflow vulnerability in the Type attribute of the OBJECT element. A remote attacker could execute arbitrary code with the privileges of the user running IE.

Description

Microsoft Security Bulletin MS03-032 and SNS Advisory No.68 describe a buffer overflow vulnerability in the Type attribute of the OBJECT element. This vulnerability only affects double-byte character set versions of IE (e.g. Japanese) and may be related to VU#679556/CAN-2003-0344/MS030-020.

Impact

By convincing a victim to view an HTML document (web site, HTML email message), a remote attacker could execute arbitrary code with the privileges of the victim.

Solution

Apply patch

Apply 822925 or a more recent cumulative patch for IE. See Microsoft Security Bulletin MS03-032.

Vendor Information

334928
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  August 25, 2003 Updated:  August 25, 2003

Status

  Vulnerable

Vendor Statement

Please see Microsoft Security Bulletin MS03-032.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2003-0701
CERT Advisory: CA-2003-22
Severity Metric: 7.09
Date Public: 2003-08-20
Date First Published: 2003-08-26
Date Last Updated: 2005-08-11 20:50 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.