search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer does not properly handle navigations from plug-ins

Vulnerability Note VU#625616

Original Release Date: 2004-10-13 | Last Revised: 2004-10-15

Overview

Microsoft Internet Explorer contains a vulnerability in its handling of navigation commands from plug-ins. This could let an attacker spoof the address of a website.

Description

Microsoft Internet Explorer improperly handles navigations from plug-ins, such as ActiveX controls. This improper navigation handling could cause IE to display an incorrect URL in the Address bar. As a result, a web site operator could make it appear that the content from his or her web site actually originated from another site when, in fact, it did not.

Impact

This vulnerability could be used to convince a user that the intruder's web site was actually a web site that the user trusts and might provide sensitive information to.

Solution

Apply a patch

Apply the patch referenced in MS04-038.

Vendor Information

625616
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  October 13, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Microsoft for reporting this vulnerability.

This document was written by Will Dormann, based on the information provided in the Microsoft Security Bulletin.

Other Information

CVE IDs: CVE-2004-0843
Severity Metric: 1.98
Date Public: 2004-10-12
Date First Published: 2004-10-13
Date Last Updated: 2004-10-15 20:37 UTC
Document Revision: 6

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.