This is an updated bulletin describing a cumulative patch for Internet Explorer 5.5 and 6.0. The original patch released on December 4, 2002 is unchanged. However since releasing the patch, Microsoft has received a report suggesting that the vulnerability addressed by this bulletin could be exploited to run arbitrary code on a user's machine. Microsoft investigated that report, and was able to develop a demonstration that exploits the vulnerability to run arbitrary code. Microsoft have released this updated bulletin to advise customers of our new assessment of the potential impact of the vulnerability, and of its updated severity rating.
This is an updated bulletin describing a cumulative patch for Internet Explorer 5.5 and 6.0. The original patch is unchanged and, in addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, eliminates one additional flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing an attacker to execute commands on a user's system.
Exploiting the vulnerability could enable an attacker to invoke an executable that was already present on the local system. It could also allow an attacker to load a malicious executable onto a user's system, or to pass parameters to an executable. However, a registry key setting discussed in Microsoft Knowledge Base Article 810687 disables shortcuts in HTML Help, which significantly reduces the scope of this vulnerability as it removes the ability to load a malicious executable on a user's system or to pass parameters to an executable.