Microsoft Internet Explorer contains multiple vulnerabilities that may allow an attacker to exploit the system. An attacker may collect system information, run a malicious script in the Local Machine security context, spoof displayed addresses in the address bar, or even take full control of the vulnerable system. The victim must execute several actions before the vulnerability is exploited.
The first vulnerability (CAN-2002-0842) is a heap overflow that allows a malicious web page or HTML encoded e-mail using Cascading Style Sheets to execute code on the victim's machine. The degree of access gained is dependent upon the security context of the user. Some reports have indicated that Internet Explorer
The second vulnerability is a remote code execution vulnerability within the Install Engine of the Internet Explorer Active Setup, specifically the dynamically linked library inseng.dll. The attacker may create a malicious web site or e-mail message that exploits the vulnerability and allows the remote attacker to gain the privileges of the user.
The third issue (CAN-2004-0839) is a privilege escalation vulnerability caused by the method in which Internet Explorer handles drag and drop events. A remote attacker could craft a malicious web page or e-mail message to save files to the targeted system in specified locations or to execute code. The attacker may use the
hhctrl.ocx HTML Help ActiveX control to bypass security restrictions. The victim must take part in drag and drop activity before the vulnerability is fully exploited. This issue has been previously discussed in TruSecure Activity Alert 8061. Proof-of-concept code has been released to demonstrate this vulnerability.
The fourth vulnerability allows an attacker to spoof URL's in the address bar on systems using double byte character sets. A false URL is listed in the address bar, hiding the actual location of the current web site. This may aid malicious web sites in disguising themselves as legitimate web sites. The issue exists in the method that Internet
Explorer parses special characters in HTTP URL processed on double byte character set systems.
The fifth vulnerability (CAN-2004-0843) exists in the method that Internet Explorer processes plug-in navigation and allows a malicious web site to spoof the URL displayed in the address bar. An attacker may use this vulnerability to disguise a malicious web site as an innocent web site.
The sixth vulnerability (CAN-2004-0845) allows an attacker to run arbitrary script on security-enhanced web sites running SSL. The flaw exists in the method that Internet Explore validates the cached content stored on SSL enabled web sites.
Exploit code has been made publicly available for the first, third and sixth vulnerabilities.