I. Description
Microsoft Security Bulletin MS04-025 describes three vulnerabilities
in Internet Explorer; more detailed information is available in the
individual vulnerability notes. Note that in addition to Internet
Explorer, any applications that use the Internet Explorer HTML
rendering engine to interpret HTML documents may present additional
attack vectors for these vulnerabilities.
VU#266926 - Microsoft Internet Explorer contains an integer overflow
in the processing of bitmap files
An integer overflow vulnerability has been discovered in the way that
Internet Explorer processes bitmap image files. This vulnerability
could allow a remote attacker to execute arbitrary code on a
vulnerable system by introducing a specially crafted bitmap file.
(Other resources: CAN-2004-0566)
VU#685364 - Microsoft Internet Explorer contains a double-free
vulnerability in the processing of GIF files
A double-free vulnerability has been discovered in the way that
Internet Explorer processes GIF image files. When processing GIF image
files, the routine responsible for freeing memory may attempt to free
the same memory reference more than once. Deallocating the already
freed memory can lead to memory corruption, which could cause a
denial-of-service condition or potentially be leveraged by an attacker
to execute arbitrary code.
(Other resources: CAN-2003-1048)
VU#713878 - Microsoft Internet Explorer does not properly validate
source of redirected frame Microsoft Internet Explorer does not
properly display URLs
As previously discussed in TA-163A, Microsoft Internet Explorer does
not adequately validate the security context of a frame that has been
redirected by a web server. An attacker could exploit this
vulnerability to evaluate script in different security domains. By
causing script to be evaluated in the Local Machine Zone, the attacker
could execute arbitrary code with the privileges of the user running
Internet Explorer. For a detailed technical analysis of this
vulnerability, please see VU#713878.
(Other resources: CAN-2004-0549)