CERT® Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet ExplorerOriginal issue date: August 26, 2003
Last revised: October 6, 2003
A complete revision history is at the end of this file.
Systems AffectedMicrosoft Windows systems running
Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE.
Microsoft Security Bulletin MS03-032 describes five vulnerabilities in Internet Explorer. These vulnerabilities are listed below. More detailed information is available in the individual vulnerability notes. Note that in addition to IE, any applications that use the IE HTML rendering engine to interpret HTML documents may present additional attack vectors for these vulnerabilities.
VU#205148 - Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers
VU#865940 - Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element
VU#548964 - Microsoft Windows BR549.DLL ActiveX control contains vulnerability
VU#813208 - Microsoft Internet Explorer does not properly render an input type tag
VU#334928 - Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems
These vulnerabilities have different impacts, ranging from denial of service to execution of arbitrary commands or code. Please see the individual vulnerability notes for specific information. The most serious of these vulnerabilities (VU#865940) could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The attacker could exploit this vulnerability by convincing the user to access a specially crafted HTML document, such as a web page or HTML email message. No user intervention is required beyond viewing the attacker's HTML document with IE.
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-040.
Note: (2003-10-04) The patch described in MS03-032 (822925) does not completely resolve the vulnerability described in VU#865940. This patch does not address at least two attack vectors that can be used to exploit this vulnerability. Microsoft has since released Security Bulletin MS03-040 which supercedes MS03-032 and addresses the other attack vectors for VU#865940. The CERT/CC encourages users to apply the patch referenced in MS03-040 and also consider applying the additional steps listed in the solution section of VU#865940.
The patch also changes the behavior of the HTML Help system (see VU#25249):
After releasing MS03-032, Microsoft identified a problem with the patch. The only affected configurations are Windows XP systems running the web server component of Internet Information Services (IIS) 5.1 with .NET Framework 1.0 serving ASP.NET web pages. Clients using such servers may receive error messages when attempting to view web pages. More information, including a workaround, is available in Microsoft Knowledge Base Article 827641.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
Appendix B. References
Feedback can be directed to the author, Art Manion.
This document is available from: http://www.cert.org/advisories/CA-2003-22.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
August 26, 2003: Initial release