Microsoft Internet Explorer Data Binding Vulnerability

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                   National Cyber Alert System

                 Cyber Security Alert SA08-352A


Microsoft Internet Explorer Data Binding Vulnerability

  Original release date: December 17, 2008
  Last revised: --
  Source: US-CERT


Systems Affected

    * Microsoft Internet Explorer
    * Microsoft Outlook Express
    * Other software that uses Internet Explorer components to render documents


Overview

  A vulnerability in Internet Explorer could allow an attacker to
  take control of your computer.


Solution

  Apply an update

  The updates to address these vulnerabilities are available on the
  Microsoft Update site. We recommend enabling Automatic Updates.

  Disable Active Scripting  This vulnerability can be mitigated by
  disabling Active Scripting in the Internet Zone, as specified in
  the Securing Your Web Browser document. Note that this will not
  block the vulnerability, but it will help to protect your computer
  against a common method used to execute this vulnerability.
  Enable DEP in Internet Explorer 7  Enabling DEP in Internet
  Explorer 7 on Windows Vista can help mitigate this vulnerability by
  making it more difficult to achieve code execution using this
  vulnerability.


Description

  When rendering certain documents, Internet Explorer may crash or
  allow an attacker to run code on your computer. The attacker could
  install malicious software or access sensitive personal
  information. Attackers are actively exploiting this vulnerability.

  For more technical information, see US-CERT Technical Alert
  TA08-352A and US-CERT Vulnerability Note VU#493881.


References

 * US-CERT Technical Cyber Security Alert TA08-352A -
  <http://www.us-cert.gov/cas/techalerts/TA08-352A.html>

 * Microsoft Security Bulletin MS08-078 -
  <https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>

 * US-CERT Vulnerability Note VU#493881 -
  <http://www.kb.cert.org/vuls/id/493881>

 * Securing Your Web Browser -
  <https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

 ______________________________

______________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/alerts/SA08-352A.html>
 ____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "SA08-352A Feedback VU#493881" in
  the subject.
 ____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

  Produced 2008 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

 December 17, 2008: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSUlp8HIHljM+H4irAQKhqgf+N88zl28wMhyNfYPgA/3Wh6ndEntBvFaf
LHlHCbKYo6g77Nu6JtMNxG+FFk19dsRHXAdw4y22W9Tkt3VegyeKBnn+w5V2I1FO
JCA4HUo+TUmyQJPy2VsRlyogqMml2OA+pqImcUADMQQfgg92QskaHtE02KNjucRj
GR8OC7S6bkQ7igEaT8RPKhb671Z5Vd3PvB3zuiSzfT8eWonBogDa0dI0tpAdvPKS
OWpNmtxCvgv7fN3vUWOHgKMTM8pLYSyMunrcHBEhY31qb34+DPYqz3KAPUdcncUd
fRsaum80D8ansP+rsKcCA/0qsLfGkyqQMt/Z6tQDtshmtCLwSegpmw==
=Vokc
-----END PGP SIGNATURE-----