_________________________________________________________

          DePaul University Computer Security Response Team

                           C   S   R   T

                       <security@depaul.edu>
                   <http://security.depaul.edu/>
      _________________________________________________________


               Computer Security Vulnerability Alert

_____________________________________________________________________
23:18 -0500                                                2003-08-20


SUMMARY    Cummulative Updates for Microsoft Internet Explorer

SEVERITY   Critical

        ** Please contact CSRT at <security@depaul.edu> immediately  *
        ** if you have determined your computer has been compromised.*
        ** For more assistance with this vulnerability, contact the  *
        ** DePaul University helpdesk at 312-362-8765.               *

PLATFORM   Microsoft Windows Operating Systems running the following
           versions of Internet Explorer:

            - Microsoft Internet Exporer 5.01
            - Microsoft Internet Exporer 5.5
            - Microsoft Internet Exporer 6.0
            - Microsoft Internet Exporer 6.0 for Windows 2003 Server

IMPACT     Privilege escalation and abuse of the cross domain security
           model  built  into  Internet Explorer;  possible  privilege
           escalation on the local system.

FIX        Please visit the Microsoft  Windows Update website listed at
           the bottom of this vulnerability alert.

SCOPE      All University computers running Microsoft Windows and the
           affected versions of Internet Explorer listed above.

DETAILS    1. Vulnerabilities  exist in  the handling  of cross-domain
           security  measures  that  protect  different  domains  from
           sharing information. An attacker may  be able to convince a
           user  to visit  a webpage  to download  malicious code  and
           inspect information from other domains, remotely.

           2. A vulnerabilty exists in Internet Explorer's handling of
           object types  in an HTTP request  of a web page.  This flaw
           may  also exist  in locally  parsed HTML  email. An  attack
           would be permitted access to  running malicious code on the
           vulnerable computer in the context of the logged on user.

EXPLOIT    No exploits have been reported at this time. CSRT will 
           monitor activity and report if other exploits are found.

ALERTID    CSRT2003082001

REVISION   

  Id: csrt-va2003082001.txt,v 1.1 2003/08/21 04:18:14 epancer Exp 

______________________________________________________________________

MORE
INFO

o Windows Update Website

<http://windowsupdate.microsoft.com/>

o Copy of this CSRT Alert

<http://security.depaul.edu/services/alerts/csrt-va2003082001.txt>

o Microsoft Security Bulletin MS03-032

<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp>

______________________________________________________________________
_____________________________END OF ALERT_____________________________