Microsoft has issued a cumulative patch, which fixes multiple vulnerabilities in Internet Explorer. These vulnerabilities can potentially be exploited to bypass Internet Explorer security restrictions and execute arbitrary code with the privileges of the current user.

Three different vulnerabilities allows malicious HTML documents such as emails or web pages to bypass the security zone restrictions and to perform actions in the Local Zone (My Computer Zone). These vulnerabilities can be exploited to execute code with the privileges of the current user.

One vulnerability allows malicious HTML documents to bypass the security zone restrictions using an XML object. This can be exploited to read arbitrary local files on the system.

One vulnerability allows malicious HTML documents to manipulate the way drag-and-drop works in DHTML events. This can be exploited to trick a user into accepting to download a file by making the user click a malicious link. The file can be saved in an arbitrary location.

Solution
Patches are available:
Further details available in Customer Area

Provided and/or discovered by
jelmer (CAN-2003-0817)

Changelog
Further details available in Customer Area

Original Advisory
Cumulative Security Update for Internet Explorer (824145)
http://www.microsoft.com/technet/security/bulletin/MS03-048.asp

Windows XP Embedded Security Bulletin:
http://www.microsoft.com/downloads/details.aspx?familyid=90ae6b99-93aa-4eff-b97b-a72e336c3905&displaylang=en

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area