Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-disclosure] Determina Fix for the IE createTextRange() bug
From: Alexander Sotirov (asotirovdetermina.com)
Date: Mon Mar 27 2006 - 23:10:42 CST
It seems like the IE 0-day generated a lot of activity among the HIPS vendors
this weekend. We at Determina spent the weekend working on a fix for the IE
createTextRange() bug. It's finally ready for download, including full source code:
It supports all versions of IE 5.01 and IE6.
The fix is a DLL that gets injected into all applications via the AppInit_DLLs
registry key. The DLL fixes the bug by patching a _single_ byte in MSHTML.DLL
when it is loaded in memory. This change makes the createTextRange() function
return an error code instead of returning 0. This exactly how the problem was
fixed in the latest IE7 beta from March 20th.
If you are interested in the analysis of the bug, check out the comment before
the patch_module() function in CVE-2006-1359.cpp.
16 more days until the Microsoft patch.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/