Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS)

From: Alexander Sotirov (asotirovdetermina.com)
Date: Sun Jan 28 2007 - 23:58:42 CST

I thought that after the success of MoBB last year, fuzzing browsers will be
pointless, since all vendors would take care of the easily-found bugs before a
release. It turns out that I was wrong. I ran a very simple ActiveX fuzzer
against Vista and found a NULL pointer dereference bug in no time. The
vulnerable ActiveX control is on the pre-approved list in IE7, which makes the
bug easy to trigger with no security warnings and no user interaction.

Try this:

<script language="JavaScript">
    obj = new ActiveXObject("giffile");

MSRC said that this is a reliability bug and not a security issue, and it will
be fixed at some point in the future. I agree that DoS bugs against IE are not
very important (as long as skape doesn't drop any more vulns like MS06-051 :-),
but it's interesting that such a simple bug in such an obvious part of the IE7
attack surface was not discovered and fixed before the release.

See the full technical details at

More about fuzzers and ActiveX at

Alexander Sotirov
Determina Security Research

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/