Published:2005/07/12  Last Updated:2008/05/21

JVN#257C6F28
Vulnerability involving security zone handling in applications using Internet Explorer components

Overview

Internet Explorer (IE) components apply different security levels for web content processing depending on the location (zone) of the web content.
As a result, web content on the Internet is processed in the "Internet" zone with a higher security level than that set for web content in the "Intranet" zone.
However, we have confirmed that some applications using IE components may process web content in an inappropriate zone.

Products Affected

  • Products displaying web contents by using IE components (including IE itself)

Description

Impact

Arbitrary code could be executed in a zone with a low security level on a user's computer. This may allow a remote attacker to take complete control of the user's computer.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable 2005/10/28
NIPPONHYOJUN Co.Ltd. Vulnerable 2005/07/12
JustSystems Corporation Vulnerable 2005/07/12
Fuji Electric Systems Co.,Ltd. Not Vulnerable 2005/07/12
YMIRLINK Inc. Vulnerable 2005/07/12
manax Co., LTD. Vulnerable 2005/07/12
Hitachi Vulnerable 2006/02/07
NEC Corporation Not Vulnerable, investigating 2005/07/12
Cybozu, Inc. Not Vulnerable 2005/07/12
Mitsubishi Electric Corporation Unknown 2005/07/12
Yamaha Corporation Not Vulnerable 2005/10/14
RICOH COMPANY, LTD. Not Vulnerable 2006/03/10
Orangesoft Inc. Not Vulnerable 2005/09/05

References

  1. Microsoft Co.,Ltd.
    http://support.microsoft.com/default.aspx?scid=kb%3bja%3b833633
  2. Microsoft Co.,Ltd.
    http://support.microsoft.com/default.aspx?scid=kb%3bja%3b884429
  3. Microsoft Co.,Ltd.
    Introduction to URL Security Zones
  4. Microsoft Co.,Ltd.
    Mark of the Web

JPCERT/CC Addendum

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2005-000775

Update History