[Japanese]

JVNDB-2006-000345

Microsoft Internet Explorer address bar spoofing vulnerability

Overview

Microsoft Internet Explorer contains an address bar spoofing vulnerability. A remote attacker can cause a spoofed content to be displayed in a user's web browser window. The address bar and other parts of the trust user interface can be displayed in the context of a trusted site while the spoofed content remains under the control of the remote attacker.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Microsoft Corporation
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 6 for Microsoft Windows XP
  • Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
  • Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Professional x64 Edition
  • Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows 2000
  • Microsoft Windows 9X 98
  • Microsoft Windows 9X 98 scd
  • Microsoft Windows 9X me
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 (itanium)
  • Microsoft Windows Server 2003 (x64)
  • Microsoft Windows XP sp3
  • Microsoft Windows XP (x64)

Impact

An user could be navigated to visit an untrusted malicous website even though the user intends to visit a trusted website. Therefore an attacker could possibly conduct a physing attack.
Solution

Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS06-021
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-2384
References

  1. JVN : JVNTA06-164A (Japanese)
  2. JVN : JVN#74969119
  3. JVN Status Tracking Notes : TRTA06-164A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2006-2384
  5. US-CERT Cyber Security Alerts : SA06-164A
  6. US-CERT Technical Cyber Security Alert : TA06-164A
  7. SecurityFocus : 18321
  8. FrSIRT Advisories : FrSIRT/ADV-2006-2319
Revision History

  • [2008/05/21]
      Web page published