search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer contains a Channel Definition Format (CDF) cross-domain vulnerability

Vulnerability Note VU#823971

Original Release Date: 2005-02-08 | Last Revised: 2005-02-09


Microsoft Internet Explorer contains a vulnerability that may allow unintended information disclosure or remote code execution due to a flaw in handling Channel Definition Format (CDF) files.


From the Microsoft Channel Definition Format description:

Channel Definition Format (CDF) files can be used to organize a set of related Web pages into a logical hierarchy. A channel is a Web site described by a Channel Definition Format (CDF) file. The CDF file defines a hierarchy of the pages that are included in the channel. Besides defining the resources in the channel, the CDF file also specifies how each item will be used or displayed, and when the channel should be updated. For more information about CDF files, see the product documentation.

An attacker may be able to exploit the flaw in CDF file handling to execute code in the Local Machine Zone.


A remote attacker may be able to execute arbitrary code or access otherwise restricted information by crafting a malicious web page, then convincing a user to visit it by clicking on a link or email. The code would execute with the privileges of the user running Internet Explorer.


Apply an update
Microsoft Windows users should use Windows Update to automatically obtain the correct fixes, or apply the relevant patches outlined in Microsoft Security Bulletin MS05-014, described in Microsoft Knowledge Base Article 867282.

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 includes a feature called Local Machine Zone Lockdown, as well as other improvements. The Local Machine Zone Lockdown prevents Internet Explorer and several other programs from evaluating script in the Local Machine Zone. While this does not remove the vulnerability, it does help prevent an attacker from executing script in the Local Machine Zone.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Vendor Information


Microsoft Corporation Affected

Notified:  February 08, 2005 Updated: February 08, 2005



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Microsoft Corporation has published information on this vulnerability in Microsoft Security Bulletin MS05-014, with details in Microsoft Knowlege Base Article 867282.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to the Microsoft Corporation for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.

Other Information

CVE IDs: CVE-2005-0056
Severity Metric: 21.00
Date Public: 2005-02-08
Date First Published: 2005-02-08
Date Last Updated: 2005-02-09 17:02 UTC
Document Revision: 13

Sponsored by CISA.