Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

From: Computer Terrorism (UK) :: Incident Response Centre (advisoriescomputerterrorism.com)
Date: Wed Mar 22 2006 - 09:33:26 CST

Computer Terrorism (UK) :: Incident Response Centre

Security Advisory :: CT22-03-2006

Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation: Computer Terrorism (UK)
Web: www.computerterrorism.com
Advisory Date: 22nd March, 2006

Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity: Critical
Impact: Remote System Access
Solution Status: ** UNPATCHED **


Pursuant to the publication of the aforementioned bug/vulnerability, this
document serves as a preliminary Security Advisory for users of Microsoft
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary
code against a fully patched Windows XP system, yielding system access with
privileges of the underlying user.

Technical Narrative:

As per the publication, the bug originates from the use of a
createTextRange() method, which, under certain circumstances, can lead to an
invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced
32bit address, as highlighted by the following sniplet of code.


Due to the incorrect reference, ECX points to a very remote, non-existent
memory location, causing IE to crash (DoS).

However, although the location is some what distant, history dictates that a
condition of this nature is conducive towards reliable exploitation.

Proof of Concept:

Computer Terrorism (UK) can confirm the production of reliable proof of
concept (PoC) for this vulnerability (tested on Windows XP SP2).
However, until a patch is developed, we will NOT be publicly disclosing our

Temporary Solution:

Users are advised to disable active scripting for non-trusted sites until a
patch is released.

Vendor Status:

The Vendor has been informed of all aspects of this new vulnerability
(including PoC), but as of the date of the document, this vulnerability is

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/