Microsoft has issued a patch for Internet Explorer. We have verified that the patch does fix the flaw.

The core of the attack is a technique for delivering a document to the victim's browser while bypassing the security checks that would normally be applied to the document. If the document is, for example, a Microsoft Word template, it could contain a macro that executes any DOS command. The attacker could arrange things so the macro was executed automatically as a consequence of the victim visiting the attacker's page.

Normally, before Explorer downloads a dangerous file like a Word document, it displays a dialog box warning that the file might contain a virus or other dangerous content, and asking the user whether to abort the download or to proceed with the download anyway. This gives the user a chance to avoid the risk of a malicious document. However, our technique allows an attacker to deliver a document without triggering the dialog box.

The attack does not require the user to approve any actions by answering questions, requesting a download, or opening a document or program. Merely visiting a Web page containing the attack is enough to expose you to it.

Microsoft has been notified and they are working on fixing the problem. Until a remedy is widely available, we will not disclose further details about the flaw. Further details will appear on this page at a later date.

We do not know whether Windows NT users of Internet Explorer 3.0 are affected, though we suspect that they may be.

This flaw was found by Dirk Balfanz and Edward Felten. Contact Felten if you have questions.