June 29, 2006 -- US-CERT is aware of publicly available exploit code for two unpatched vulnerabilities in Microsoft Internet Explorer. We are tracking the first vulnerability as VU#655100. By persuading a user to double-click a file accessible through WebDAV or SMB, a remote attacker may be able to execute arbitrary code with the privileges of the user.
The second issue is a cross-domain violation vulnerability that is being tracked as VU#883108 . Successful exploitation could allow a remote attacker to access the contents of a web page in another domain. This exploitation could lead to information disclosure, which may include harvesting user credentials.
When available, more information about these vulnerabilities can be found in the following:
* Vulnerability Note: VU#655100 - Microsoft Internet Explorer fails to properly handle file shares
* Vulnerability Note: VU#883108 - Microsoft Internet Explorer HTML Document object cross-domain vulnerability
Until an update, patch, or more information becomes available, US-CERT recommends the following:
* Do not follow unsolicited links.
* To address the cross-domain violation vulnerability (VU#883108):
o Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
We will continue to update current activity as more information becomes available.
Source: US-CERT
Source:
Wired News
