Issues the date: 2007-10-09

Renewal date: 2007-10-10

Is affected the system:

Microsoft Internet Explorer 7.0

Microsoft Internet Explorer 6.0 SP1

Microsoft Internet Explorer 6.0

Microsoft Internet Explorer 5.0.1 SP4

Description:

--------------------------------------------------------------------------------

BUGTRAQ ID: 25916

CVE(CAN) ID: CVE-2007-3893

Internet Explorer is the WEB browser which in Microsoft's operating system ties up.

IE when processing document downloading formation has the crack, the malicious website possibly uses this crack to control the subscriber system.

When processing document downloading formation, if Internet Explorer has processed many parallel start-up file downloading attempt, possibly causes the memory to destroy, the use already released object. The aggressor may use this crack through the construction handtailor homepage. If the user examination homepage, this crack possibly permits the long-distance executive order.

<* origin: Carsten H. Eiram

Link: http://secunia.com/secunia_research/2007-31/advisory/

http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx?pf=true

http://www.us-cert.gov/cas/techalerts/TA07-282A.html

*>

Suggested:

--------------------------------------------------------------------------------

Temporary solution:

If you cannot install the patch or the promotion immediately, NSFOCUS suggested that you take the following measure to reduce the threat:

* establishes as “high” Internet and the local intranet safe area by before moving ActiveX controls and the active script requests the prompt.

Manufacturer patch:

Microsoft

---------

Microsoft had already issued a safe announcement for this reason (MS07-057) as well as the corresponding patch:

MS07-057:Cumulative Security Update for Internet Explorer (939653)

Link: http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx?pf=true